You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sling.apache.org by kw...@apache.org on 2021/04/08 11:47:12 UTC
[sling-org-apache-sling-jcr-repoinit] 01/01: SLING-10281 revert
SLING-9449
This is an automated email from the ASF dual-hosted git repository.
kwin pushed a commit to branch bugfix/revert-SLING-9449
in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-jcr-repoinit.git
commit 1ab45558af630cdb6845c331c994e6650589ebcd
Author: Konrad Windszus <kw...@apache.org>
AuthorDate: Thu Apr 8 13:47:00 2021 +0200
SLING-10281 revert SLING-9449
make repoinit throw exceptions in case principal acls can not be applied
---
src/main/java/org/apache/sling/jcr/repoinit/impl/AclUtil.java | 5 +----
.../java/org/apache/sling/jcr/repoinit/PrincipalBasedAclTest.java | 7 +++++--
2 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/src/main/java/org/apache/sling/jcr/repoinit/impl/AclUtil.java b/src/main/java/org/apache/sling/jcr/repoinit/impl/AclUtil.java
index cde2e34..6b68c21 100644
--- a/src/main/java/org/apache/sling/jcr/repoinit/impl/AclUtil.java
+++ b/src/main/java/org/apache/sling/jcr/repoinit/impl/AclUtil.java
@@ -221,10 +221,7 @@ public class AclUtil {
// no PrincipalAccessControlList available: don't fail if an equivalent path-based entry with the same definition exists
// or if there exists no node at the effective path (unable to evaluate path-based entries).
LOG.info("No PrincipalAccessControlList available for principal {}", principal);
- if (!containsEquivalentEntry(session, effectivePath, principal, privileges, true, line.getRestrictions())) {
- LOG.warn("No equivalent path-based entry exists for principal {} and effective path {} ", principal.getName(), effectivePath);
- return;
- }
+ checkState(containsEquivalentEntry(session, effectivePath, principal, privileges, true, line.getRestrictions()), "No PrincipalAccessControlList available for principal '" + principal + "'.");
} else {
final LocalRestrictions restrictions = createLocalRestrictions(line.getRestrictions(), acl, session);
final boolean added = acl.addEntry(effectivePath, privileges, restrictions.getRestrictions(), restrictions.getMVRestrictions());
diff --git a/src/test/java/org/apache/sling/jcr/repoinit/PrincipalBasedAclTest.java b/src/test/java/org/apache/sling/jcr/repoinit/PrincipalBasedAclTest.java
index b0a9a84..68af580 100644
--- a/src/test/java/org/apache/sling/jcr/repoinit/PrincipalBasedAclTest.java
+++ b/src/test/java/org/apache/sling/jcr/repoinit/PrincipalBasedAclTest.java
@@ -456,11 +456,12 @@ public class PrincipalBasedAclTest {
assertEquals(2, pacl.size());
}
- @Test
+ @Test(expected = RuntimeException.class)
public void principalAclNotAvailable() throws Exception {
try {
// create service user outside of supported tree for principal-based access control
U.parseAndExecute("create service user otherSystemPrincipal");
+ // principal-based ac-setup must fail as service user is not located below supported path
String setup = "set principal ACL for otherSystemPrincipal \n"
+ "allow jcr:read on " + path + "\n"
+ "end";
@@ -470,7 +471,7 @@ public class PrincipalBasedAclTest {
}
}
- @Test
+ @Test(expected = RuntimeException.class)
public void principalAclNotAvailableRestrictionMismatch() throws Exception {
JackrabbitAccessControlManager acMgr = (JackrabbitAccessControlManager) adminSession.getAccessControlManager();
try {
@@ -485,6 +486,8 @@ public class PrincipalBasedAclTest {
Principal principal = adminSession.getUserManager().getAuthorizable("otherSystemPrincipal").getPrincipal();
assertTrue(acMgr.hasPrivileges(path, Collections.singleton(principal), AccessControlUtils.privilegesFromNames(adminSession, Privilege.JCR_READ)));
+ // setting up principal-acl will not succeed (principal not located below supported path)
+ // since effective entry doesn't match the restriction -> setup must fail
setup = "set principal ACL for otherSystemPrincipal \n"
+ "allow jcr:read on " + path + " restriction(rep:glob,*mismatch)\n"
+ "end";