You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-commits@jackrabbit.apache.org by tr...@apache.org on 2015/09/04 14:58:58 UTC

svn commit: r1701241 - /jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/restriction/CustomRestrictionProviderTest.java

Author: tripod
Date: Fri Sep  4 12:58:57 2015
New Revision: 1701241

URL: http://svn.apache.org/r1701241
Log:
OAK-3324 Evaluation with restriction is not consistent with parent ACLs

Modified:
    jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/restriction/CustomRestrictionProviderTest.java

Modified: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/restriction/CustomRestrictionProviderTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/restriction/CustomRestrictionProviderTest.java?rev=1701241&r1=1701240&r2=1701241&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/restriction/CustomRestrictionProviderTest.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/restriction/CustomRestrictionProviderTest.java Fri Sep  4 12:58:57 2015
@@ -54,6 +54,7 @@ import org.apache.jackrabbit.oak.util.No
 import org.apache.jackrabbit.value.StringValue;
 import org.junit.After;
 import org.junit.Before;
+import org.junit.Ignore;
 import org.junit.Test;
 
 import com.google.common.collect.ImmutableMap;
@@ -70,6 +71,7 @@ public class CustomRestrictionProviderTe
     private static final String TEST_B_PATH = "/testRoot/a/b";
     private static final String TEST_C_PATH = "/testRoot/a/b/c";
     private static final String TEST_D_PATH = "/testRoot/a/b/c/d";
+    private static final String TEST_E_PATH = "/testRoot/a/b/c/d/e";
     private static final String PROP_NAME_PROTECT_ME = "protect-me";
 
     private NodeUtil testRootNode;
@@ -93,7 +95,8 @@ public class CustomRestrictionProviderTe
         NodeUtil b = a.addChild("b", NT_UNSTRUCTURED);
         NodeUtil c = b.addChild("c", NT_UNSTRUCTURED);
         c.setBoolean(PROP_NAME_PROTECT_ME, true);
-        c.addChild("d", NT_UNSTRUCTURED);
+        NodeUtil d = c.addChild("d", NT_UNSTRUCTURED);
+        d.addChild("e", NT_UNSTRUCTURED);
         root.commit();
 
         testPrincipal = getTestUser().getPrincipal();
@@ -133,6 +136,7 @@ public class CustomRestrictionProviderTe
      * @throws Exception
      */
     @Test
+    @Ignore("OAK-3324")
     public void testProtectByRestriction() throws Exception {
         // create permissions
         // allow rep:write      /testroot
@@ -151,8 +155,10 @@ public class CustomRestrictionProviderTe
                     pp.isGranted(testRoot.getTree(TEST_B_PATH), null, Permissions.REMOVE_NODE));
             assertFalse("user should not have remove node on /a/b/c",
                     pp.isGranted(testRoot.getTree(TEST_C_PATH), null, Permissions.REMOVE_NODE));
-            assertFalse("user should not have remove node on /a/b/c/d",
+            assertTrue("user should not have remove node on /a/b/c/d",
                     pp.isGranted(testRoot.getTree(TEST_D_PATH), null, Permissions.REMOVE_NODE));
+            assertTrue("user should not have remove node on /a/b/c/d/e",
+                    pp.isGranted(testRoot.getTree(TEST_E_PATH), null, Permissions.REMOVE_NODE));
 
             try {
                 // should be not able to remove /a/b/c/d
@@ -174,6 +180,39 @@ public class CustomRestrictionProviderTe
         } finally {
             testSession.close();
         }
+    }
+
+    /**
+     * Tests the custom restriction provider that checks on the existence of a property.
+     * @throws Exception
+     */
+    @Test
+    public void testProtectPropertiesByRestriction() throws Exception {
+        // create permissions
+        // allow rep:write          /testroot
+        // deny  jcr:modifyProperties /testroot/a  hasProperty = protect-me
+
+        addEntry(TEST_ROOT_PATH, true, "", PrivilegeConstants.JCR_READ, PrivilegeConstants.REP_WRITE);
+        addEntry(TEST_A_PATH, false, PROP_NAME_PROTECT_ME, PrivilegeConstants.JCR_MODIFY_PROPERTIES);
+
+        ContentSession testSession = createTestSession();
+        try {
+            Root testRoot = testSession.getLatestRoot();
+            PermissionProvider pp = getSecurityProvider()
+                    .getConfiguration(AuthorizationConfiguration.class)
+                    .getPermissionProvider(root, testSession.getWorkspaceName(), testSession.getAuthInfo().getPrincipals());
+            assertTrue("user should have remove node on /a/b",
+                    pp.isGranted(testRoot.getTree(TEST_B_PATH), null, Permissions.MODIFY_PROPERTY));
+            assertFalse("user should not have remove node on /a/b/c",
+                    pp.isGranted(testRoot.getTree(TEST_C_PATH), null, Permissions.MODIFY_PROPERTY));
+            assertTrue("user should not have remove node on /a/b/c/d",
+                    pp.isGranted(testRoot.getTree(TEST_D_PATH), null, Permissions.MODIFY_PROPERTY));
+            assertTrue("user should not have remove node on /a/b/c/d/e",
+                    pp.isGranted(testRoot.getTree(TEST_E_PATH), null, Permissions.MODIFY_PROPERTY));
+
+        } finally {
+            testSession.close();
+        }
     }
 
     /**