You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@jackrabbit.apache.org by Ian Boston <ie...@tfd.co.uk> on 2009/11/01 17:41:30 UTC

Removed Principals make ACLs deny everything.

Looking at 1.5.7 (may also be the case in later versions)

IIUC, removing a User from the UserManager causes a  
NoSuchPrincipalException in the ACLTempate.init(...) line 113, which  
generates a deny on that node, regardless of the user accessing the  
node.

IMHO, there should be a try catch on the processing of each ACE to  
guard against this.

Removing all ACE's at the same time as removing a Principal is  
probably not practical as the PrincipalManager might (if replaced)  
lookup principals externally.

?

Can provide a patch, if this is the right approach.
Ian

Re: Removed Principals make ACLs deny everything.

Posted by Ian Boston <ie...@tfd.co.uk>.

Sorry, see its fixed in trunk, ignore me.
Ian

On 1 Nov 2009, at 16:41, Ian Boston wrote:

> Looking at 1.5.7 (may also be the case in later versions)
>
> IIUC, removing a User from the UserManager causes a  
> NoSuchPrincipalException in the ACLTempate.init(...) line 113, which  
> generates a deny on that node, regardless of the user accessing the  
> node.
>
> IMHO, there should be a try catch on the processing of each ACE to  
> guard against this.
>
> Removing all ACE's at the same time as removing a Principal is  
> probably not practical as the PrincipalManager might (if replaced)  
> lookup principals externally.
>
> ?
>
> Can provide a patch, if this is the right approach.
> Ian
>