You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@sling.apache.org by "Robert Munteanu (JIRA)" <ji...@apache.org> on 2017/08/24 13:46:00 UTC

[jira] [Comment Edited] (SLING-3224) GetAclTest integration test fails due to incorrect privilege expansion in AbstractGetAclServlet

    [ https://issues.apache.org/jira/browse/SLING-3224?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16139887#comment-16139887 ] 

Robert Munteanu edited comment on SLING-3224 at 8/24/17 1:45 PM:
-----------------------------------------------------------------

Stepping through the code I can see that Oak returns the privileges correctly. However, in {{AbstractGetAclServlet.internalGetAcl}} , the {{mergePrivilegeSet}} invocation does not work properly. The call that fails is at line 181:

{code:java}
                	mergePrivilegeSets(privilege,
                			privilegeToAncestorMap,
							deniedSet, grantedSet);
{code}

where privilege is {{jcr:write}}, deniedSet is empty and grantedSet is {{jcr:all}}.

The logic is quite involved but I guess expansion of aggregate privileges is broken here.

_Edit_: typo


was (Author: rombert):
Stepping through the code I can see that Oak returns the privileges correctly. However, in {{AbstractGetAclServlet.internalGetAcl}} , the {{mergePrivilegeSet}} invocation does not work properly. The call that fails is at line 181:

{code:java}
                	mergePrivilegeSets(privilege,
                			privilegeToAncestorMap,
							deniedSet, grantedSet);
{code}

where privilege is {{jcr:write}, deniedSet is empty and grantedSet is {{jcr:all}}.

The logic is quite involved but I guess expansion of aggregate privileges is broken here.

> GetAclTest integration test fails due to incorrect privilege expansion in AbstractGetAclServlet
> -----------------------------------------------------------------------------------------------
>
>                 Key: SLING-3224
>                 URL: https://issues.apache.org/jira/browse/SLING-3224
>             Project: Sling
>          Issue Type: Bug
>          Components: JCR
>            Reporter: Bertrand Delacretaz
>            Assignee: Robert Munteanu
>              Labels: sling-IT
>             Fix For: JCR Jackrabbit Access Manager 3.0.2
>
>
> Failed tests:   testEffectiveAclMergeForUser_SubsetOfPrivilegesDeniedOnChild:
> Expected privilege jcr:modifyProperties to be NOT INCLUDED in supplied list: 
> [rep:userManagement, jcr:nodeTypeManagement, jcr:modifyProperties, jcr:namespaceManagement, rep:privilegeManagement, jcr:workspaceManagement, rep:readProperties, rep:alterProperties, jcr:nodeTypeDefinitionManagement, jcr:lockManagement, jcr:read, jcr:lifecycleManagement, jcr:removeNode, jcr:modifyAccessControl, jcr:removeChildNodes, jcr:versionManagement, rep:addProperties, rep:removeProperties, rep:readNodes, jcr:readAccessControl, jcr:addChildNodes, jcr:retentionManagement])



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)