You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@sling.apache.org by "Eric Norman (Jira)" <ji...@apache.org> on 2022/04/09 21:13:00 UTC

[jira] [Resolved] (SLING-11233) Change ACL json output structure to be less ambiguous for restrictions

     [ https://issues.apache.org/jira/browse/SLING-11233?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Eric Norman resolved SLING-11233.
---------------------------------
    Resolution: Fixed

Merged PR at:  [{{505c173}}|https://github.com/apache/sling-org-apache-sling-jcr-jackrabbit-accessmanager/commit/505c1736947e510f8dd54be27a6422271dcde5b5]

> Change ACL json output structure to be less ambiguous for restrictions
> ----------------------------------------------------------------------
>
>                 Key: SLING-11233
>                 URL: https://issues.apache.org/jira/browse/SLING-11233
>             Project: Sling
>          Issue Type: Improvement
>            Reporter: Eric Norman
>            Assignee: Eric Norman
>            Priority: Major
>             Fix For: JCR Jackrabbit Access Manager 3.0.12
>
>          Time Spent: 2h 10m
>  Remaining Estimate: 0h
>
> The restriction details in the ACL json output can be ambiguous in some situations.
> For example, in the example below it is not clear if the "rep:glob" restriction applies to the "jcr:read" privilege or the "rep:write" privilege.
>  
> {code:java}
> {
>   "user1":{
>     "principal":"user1",
>     "granted":[
>       "jcr:read"
>     ],
>     "denied":[
>       "rep:write"
>     ],
>     "order":0,
>     "restrictions":{
>       "rep:glob":"glob1"
>     }
>   }
> } {code}
>  
>  
> Expected:
> The JSON structure of the ACE should be enhanced to make it more clear. 
> For example, replace the "granted/denied/restrictions" items with a "privileges" structure whose items are the granted or denied privileges.  Each privilege has a "deny" and/or "grant" child whose value is either true (no restrictions) or an array of restrictions + values.
> For example:
>  
> {code:java}
> {
>   "user1":{
>     "principal":"user1",
>     "order":0,
>     "privileges":{
>       "jcr:read":{
>         "allow":{
>           "rep:glob":"glob1"
>         }
>       },
>       "jcr:readAccessControl":{
>         "allow":{
>           "rep:itemNames":[
>             "name1",
>             "name2"
>           ]
>         }
>       },
>       "rep:write":{
>         "deny":true
>       }
>     }
>   }
> } {code}
> The new format should also be flexible enough to describe a privilege that is granted and denied with different restrictions for each of those states.  That scenario is impossible to describe in the old format.
>  



--
This message was sent by Atlassian Jira
(v8.20.1#820001)