You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@jackrabbit.apache.org by tr...@apache.org on 2015/09/01 14:07:31 UTC
svn commit: r1700513 - in
/jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization:
AbstractEvaluationTest.java acl/RestrictionTest.java acl/TestAll.java
Author: tripod
Date: Tue Sep 1 12:07:31 2015
New Revision: 1700513
URL: http://svn.apache.org/r1700513
Log:
OAK-3324 hasPermission does not reflect actual behavior with restrictions
- add oak test for comparison
Added:
jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/RestrictionTest.java
- copied, changed from r1700496, jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/ReadTest.java
Modified:
jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractEvaluationTest.java
jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/TestAll.java
Modified: jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractEvaluationTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractEvaluationTest.java?rev=1700513&r1=1700512&r2=1700513&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractEvaluationTest.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractEvaluationTest.java Tue Sep 1 12:07:31 2015
@@ -184,7 +184,7 @@ public abstract class AbstractEvaluation
return modifyPrivileges(path, testUser.getPrincipal(), privilegesFromName(privilege), isAllow, getRestrictions(superuser, path));
}
- private JackrabbitAccessControlList modifyPrivileges(String path, Principal principal, Privilege[] privileges, boolean isAllow, Map<String, Value> restrictions) throws NotExecutableException, RepositoryException {
+ protected JackrabbitAccessControlList modifyPrivileges(String path, Principal principal, Privilege[] privileges, boolean isAllow, Map<String, Value> restrictions) throws NotExecutableException, RepositoryException {
JackrabbitAccessControlList tmpl = getPolicy(acMgr, path, principal);
tmpl.addEntry(principal, privileges, isAllow, restrictions);
Copied: jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/RestrictionTest.java (from r1700496, jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/ReadTest.java)
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/RestrictionTest.java?p2=jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/RestrictionTest.java&p1=jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/ReadTest.java&r1=1700496&r2=1700513&rev=1700513&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/ReadTest.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/RestrictionTest.java Tue Sep 1 12:07:31 2015
@@ -16,49 +16,52 @@
*/
package org.apache.jackrabbit.core.security.authorization.acl;
-import org.apache.jackrabbit.JcrConstants;
-import org.apache.jackrabbit.api.JackrabbitSession;
-import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
-import org.apache.jackrabbit.api.security.user.Authorizable;
-import org.apache.jackrabbit.api.security.user.Group;
-import org.apache.jackrabbit.core.security.authorization.AbstractEvaluationTest;
-import org.apache.jackrabbit.core.security.authorization.AccessControlConstants;
-import org.apache.jackrabbit.test.NotExecutableException;
-import org.junit.Test;
+import java.security.Principal;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.Map;
import javax.jcr.AccessDeniedException;
import javax.jcr.Node;
-import javax.jcr.PathNotFoundException;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import javax.jcr.Value;
-import javax.jcr.ValueFactory;
import javax.jcr.security.AccessControlManager;
import javax.jcr.security.Privilege;
-import java.security.Principal;
-import java.util.Collections;
-import java.util.HashMap;
-import java.util.Map;
+
+import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
+import org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils;
+import org.apache.jackrabbit.core.security.authorization.AbstractEvaluationTest;
+import org.apache.jackrabbit.test.NotExecutableException;
+import org.apache.jackrabbit.value.StringValue;
/**
* <code>ReadTest</code>...
*/
-public class ReadTest extends AbstractEvaluationTest {
+public class RestrictionTest extends AbstractEvaluationTest {
- private String path;
- private String childNPath;
+ private String path_root;
+ private String path_a;
+ private String path_b;
+ private String path_c;
+ private String path_d;
@Override
protected void setUp() throws Exception {
super.setUp();
// create some nodes below the test root in order to apply ac-stuff
- Node node = testRootNode.addNode(nodeName1, testNodeType);
- Node cn1 = node.addNode(nodeName2, testNodeType);
+ Node a = testRootNode.addNode("a", testNodeType);
+ Node b = a.addNode("b", testNodeType);
+ Node c = b.addNode("c", testNodeType);
+ Node d = c.addNode("d", testNodeType);
superuser.save();
- path = node.getPath();
- childNPath = cn1.getPath();
+ path_root = testRootNode.getPath();
+ path_a = a.getPath();
+ path_b = b.getPath();
+ path_c = c.getPath();
+ path_d = d.getPath();
}
@Override
@@ -76,428 +79,56 @@ public class ReadTest extends AbstractEv
return Collections.emptyMap();
}
- public void testReadDenied() throws Exception {
- Privilege[] privileges = privilegesFromName(Privilege.JCR_READ);
-
- /* deny READ privilege for testUser at 'path' */
- withdrawPrivileges(path, privileges, getRestrictions(superuser, path));
- /*
- allow READ privilege for testUser at 'childNPath'
- */
- givePrivileges(childNPath, privileges, getRestrictions(superuser, childNPath));
-
-
- Session testSession = getTestSession();
-
- assertFalse(testSession.nodeExists(path));
- assertTrue(testSession.nodeExists(childNPath));
- Node n = testSession.getNode(childNPath);
- n.getDefinition();
- }
-
- public void testDenyUserAllowGroup() throws Exception {
- Privilege[] privileges = privilegesFromName(Privilege.JCR_READ);
- Principal group = getTestGroup().getPrincipal();
-
- /*
- deny READ privilege for testUser at 'path'
- */
- withdrawPrivileges(path, testUser.getPrincipal(), privileges, getRestrictions(superuser, path));
- /*
- allow READ privilege for group at 'path'
- */
- givePrivileges(path, group, privileges, getRestrictions(superuser, path));
-
- Session testSession = getTestSession();
- assertFalse(testSession.nodeExists(path));
- }
-
- public void testAllowGroupDenyUser() throws Exception {
- Privilege[] privileges = privilegesFromName(Privilege.JCR_READ);
- Principal group = getTestGroup().getPrincipal();
-
- /*
- allow READ privilege for group at 'path'
- */
- givePrivileges(path, group, privileges, getRestrictions(superuser, path));
- /*
- deny READ privilege for testUser at 'path'
- */
- withdrawPrivileges(path, testUser.getPrincipal(), privileges, getRestrictions(superuser, path));
-
- Session testSession = getTestSession();
- assertFalse(testSession.nodeExists(path));
- }
-
- public void testAllowUserDenyGroup() throws Exception {
- Privilege[] privileges = privilegesFromName(Privilege.JCR_READ);
- Principal group = getTestGroup().getPrincipal();
-
- /*
- allow READ privilege for testUser at 'path'
- */
- givePrivileges(path, testUser.getPrincipal(), privileges, getRestrictions(superuser, path));
- /*
- deny READ privilege for group at 'path'
- */
- withdrawPrivileges(path, group, privileges, getRestrictions(superuser, path));
-
- Session testSession = getTestSession();
- assertTrue(testSession.nodeExists(path));
- }
-
- public void testDenyGroupAllowUser() throws Exception {
- Privilege[] privileges = privilegesFromName(Privilege.JCR_READ);
- Principal group = getTestGroup().getPrincipal();
-
- /*
- deny READ privilege for group at 'path'
- */
- withdrawPrivileges(path, group, privileges, getRestrictions(superuser, path));
-
- /*
- allow READ privilege for testUser at 'path'
- */
- givePrivileges(path, testUser.getPrincipal(), privileges, getRestrictions(superuser, path));
-
- Session testSession = getTestSession();
- assertTrue(testSession.nodeExists(path));
- }
-
- public void testDenyGroupAllowEveryone() throws Exception {
- Privilege[] privileges = privilegesFromName(Privilege.JCR_READ);
- Principal group = getTestGroup().getPrincipal();
- Principal everyone = ((JackrabbitSession) superuser).getPrincipalManager().getEveryone();
-
- /*
- deny READ privilege for group at 'path'
- */
- withdrawPrivileges(path, group, privileges, getRestrictions(superuser, path));
-
- /*
- allow READ privilege for everyone at 'path'
- */
- givePrivileges(path, everyone, privileges, getRestrictions(superuser, path));
-
- Session testSession = getTestSession();
- assertTrue(testSession.nodeExists(path));
- }
-
- public void testAllowEveryoneDenyGroup() throws Exception {
- Privilege[] privileges = privilegesFromName(Privilege.JCR_READ);
- Principal group = getTestGroup().getPrincipal();
- Principal everyone = ((JackrabbitSession) superuser).getPrincipalManager().getEveryone();
-
- /*
- allow READ privilege for everyone at 'path'
- */
- givePrivileges(path, everyone, privileges, getRestrictions(superuser, path));
-
- /*
- deny READ privilege for group at 'path'
- */
- withdrawPrivileges(path, group, privileges, getRestrictions(superuser, path));
-
- Session testSession = getTestSession();
- assertFalse(testSession.nodeExists(path));
- }
-
- public void testDenyGroupPathAllowEveryoneChildPath() throws Exception {
- Privilege[] privileges = privilegesFromName(Privilege.JCR_READ);
- Principal group = getTestGroup().getPrincipal();
- Principal everyone = ((JackrabbitSession) superuser).getPrincipalManager().getEveryone();
-
- /*
- deny READ privilege for group at 'path'
- */
- withdrawPrivileges(path, group, privileges, getRestrictions(superuser, path));
-
- /*
- allow READ privilege for everyone at 'childNPath'
- */
- givePrivileges(path, everyone, privileges, getRestrictions(superuser, childNPath));
-
- Session testSession = getTestSession();
- assertTrue(testSession.nodeExists(childNPath));
- }
-
- public void testAllowEveryonePathDenyGroupChildPath() throws Exception {
- Privilege[] privileges = privilegesFromName(Privilege.JCR_READ);
- Principal group = getTestGroup().getPrincipal();
- Principal everyone = ((JackrabbitSession) superuser).getPrincipalManager().getEveryone();
-
- /*
- allow READ privilege for everyone at 'path'
- */
- givePrivileges(path, everyone, privileges, getRestrictions(superuser, path));
-
- /*
- deny READ privilege for group at 'childNPath'
- */
- withdrawPrivileges(path, group, privileges, getRestrictions(superuser, childNPath));
-
- Session testSession = getTestSession();
- assertFalse(testSession.nodeExists(childNPath));
- }
-
- public void testAllowUserPathDenyGroupChildPath() throws Exception {
- Privilege[] privileges = privilegesFromName(Privilege.JCR_READ);
- Principal group = getTestGroup().getPrincipal();
-
- /*
- allow READ privilege for testUser at 'path'
- */
- givePrivileges(path, testUser.getPrincipal(), privileges, getRestrictions(superuser, path));
- /*
- deny READ privilege for group at 'childPath'
- */
- withdrawPrivileges(path, group, privileges, getRestrictions(superuser, childNPath));
-
- Session testSession = getTestSession();
- assertTrue(testSession.nodeExists(childNPath));
- }
-
- public void testDenyGroupPathAllowUserChildPath() throws Exception {
- Privilege[] privileges = privilegesFromName(Privilege.JCR_READ);
- Principal group = getTestGroup().getPrincipal();
-
- /*
- deny READ privilege for group at 'path'
- */
- withdrawPrivileges(path, group, privileges, getRestrictions(superuser, path));
-
- /*
- allow READ privilege for testUser at 'childNPath'
- */
- givePrivileges(path, testUser.getPrincipal(), privileges, getRestrictions(superuser, childNPath));
-
- Session testSession = getTestSession();
- assertTrue(testSession.nodeExists(childNPath));
- }
-
- public void testDenyUserPathAllowGroupChildPath() throws Exception {
- Privilege[] privileges = privilegesFromName(Privilege.JCR_READ);
- Principal group = getTestGroup().getPrincipal();
-
- /*
- deny READ privilege for testUser at 'path'
- */
- withdrawPrivileges(path, testUser.getPrincipal(), privileges, getRestrictions(superuser, path));
- /*
- allow READ privilege for group at 'childNPath'
- */
- givePrivileges(path, group, privileges, getRestrictions(superuser, childNPath));
-
- Session testSession = getTestSession();
- assertFalse(testSession.nodeExists(childNPath));
- }
-
- public void testAllowGroupPathDenyUserChildPath() throws Exception {
- Privilege[] privileges = privilegesFromName(Privilege.JCR_READ);
- Principal group = getTestGroup().getPrincipal();
-
- /*
- allow READ privilege for everyone at 'path'
- */
- givePrivileges(path, group, privileges, getRestrictions(superuser, path));
- /*
- deny READ privilege for testUser at 'childNPath'
- */
- withdrawPrivileges(path, testUser.getPrincipal(), privileges, getRestrictions(superuser, childNPath));
-
- Session testSession = getTestSession();
- assertFalse(testSession.nodeExists(childNPath));
- }
-
- public void testGlobRestriction() throws Exception {
- Session testSession = getTestSession();
- AccessControlManager testAcMgr = getTestACManager();
- ValueFactory vf = superuser.getValueFactory();
- /*
- precondition:
- testuser must have READ-only permission on test-node and below
- */
- checkReadOnly(path);
- checkReadOnly(childNPath);
-
- Privilege[] read = privilegesFromName(Privilege.JCR_READ);
-
- Map<String, Value> restrictions = new HashMap<String, Value>(getRestrictions(superuser, path));
- restrictions.put(AccessControlConstants.P_GLOB.toString(), vf.createValue("*/"+jcrPrimaryType));
-
- withdrawPrivileges(path, read, restrictions);
-
- assertTrue(testAcMgr.hasPrivileges(path, read));
- assertTrue(testSession.hasPermission(path, javax.jcr.Session.ACTION_READ));
- testSession.getNode(path);
-
- assertTrue(testAcMgr.hasPrivileges(childNPath, read));
- assertTrue(testSession.hasPermission(childNPath, javax.jcr.Session.ACTION_READ));
- testSession.getNode(childNPath);
-
- String propPath = path + "/" + jcrPrimaryType;
- assertFalse(testSession.hasPermission(propPath, javax.jcr.Session.ACTION_READ));
- assertFalse(testSession.propertyExists(propPath));
-
- propPath = childNPath + "/" + jcrPrimaryType;
- assertFalse(testSession.hasPermission(propPath, javax.jcr.Session.ACTION_READ));
- assertFalse(testSession.propertyExists(propPath));
- }
-
- /**
- * @see <a href="https://issues.apache.org/jira/browse/OAK-2412">OAK-2412</a>
- */
- @Test
- public void testEmptyGlobRestriction()throws Exception{
- Node grandchild = superuser.getNode(childNPath).addNode("child");
- String ccPath = grandchild.getPath();
- superuser.save();
-
- // first deny access to 'path' (read-access is granted in the test setup)
- Privilege[] read = privilegesFromName(Privilege.JCR_READ);
- withdrawPrivileges(path, read, Collections.EMPTY_MAP);
-
- Session testSession = getTestSession();
- assertFalse(testSession.nodeExists(path));
- assertFalse(canGetNode(testSession, path));
- assertFalse(testSession.nodeExists(childNPath));
- assertFalse(canGetNode(testSession, childNPath));
- assertFalse(testSession.nodeExists(ccPath));
- assertFalse(canGetNode(testSession, ccPath));
- assertFalse(testSession.propertyExists(childNPath + '/' + JcrConstants.JCR_PRIMARYTYPE));
-
- Map<String, Value> emptyStringRestriction = new HashMap<String, Value>(getRestrictions(superuser, childNPath));
- emptyStringRestriction.put(AccessControlConstants.P_GLOB.toString(), vf.createValue(""));
-
- givePrivileges(childNPath, read, emptyStringRestriction);
- assertFalse(testSession.nodeExists(path));
- assertFalse(canGetNode(testSession, path));
- assertTrue(testSession.nodeExists(childNPath));
- assertTrue(canGetNode(testSession, childNPath));
- assertFalse(testSession.nodeExists(ccPath));
- assertFalse(canGetNode(testSession, ccPath));
- assertFalse(testSession.propertyExists(childNPath + '/' + JcrConstants.JCR_PRIMARYTYPE));
-
- givePrivileges(ccPath, read, Collections.EMPTY_MAP);
- assertTrue(testSession.nodeExists(ccPath));
- assertTrue(canGetNode(testSession, ccPath));
- assertTrue(testSession.propertyExists(ccPath + '/' + JcrConstants.JCR_PRIMARYTYPE));
+ private void addEntry(String path, boolean grant, String restriction, String... privilegeNames) throws Exception {
+ if (restriction.length() > 0) {
+ Map<String, Value> rs = new HashMap<String, Value>();
+ rs.put("rep:glob", new StringValue(restriction));
+ modifyPrivileges(path, testUser.getPrincipal(), AccessControlUtils.privilegesFromNames(acMgr, privilegeNames), grant, rs);
+ } else {
+ modifyPrivileges(path, testUser.getPrincipal(), AccessControlUtils.privilegesFromNames(acMgr, privilegeNames), grant, Collections.<String, Value>emptyMap());
+ }
}
/**
- * @see <a href="https://issues.apache.org/jira/browse/OAK-2412">OAK-2412</a>
+ * Tests if the restriction are active at the proper place
*/
- @Test
- public void testEmptyGlobRestriction2()throws Exception{
- Node grandchild = superuser.getNode(childNPath).addNode("child");
- String ccPath = grandchild.getPath();
- superuser.save();
-
- // first deny access to 'path' (read-access is granted in the test setup)
- Privilege[] read = privilegesFromName(Privilege.JCR_READ);
- withdrawPrivileges(path, read, Collections.EMPTY_MAP);
+ public void testHasPermissionWithRestrictions() throws Exception {
+ // create permissions
+ // allow rep:write /testroot
+ // deny jcr:removeNode /testroot/a glob=*/c
+ // allow jcr:removeNode /testroot/a glob=*/b
+ // allow jcr:removeNode /testroot/a glob=*/c/*
+
+ addEntry(path_root, true, "", Privilege.JCR_READ, Privilege.JCR_WRITE);
+ addEntry(path_a, false, "*/c", Privilege.JCR_REMOVE_NODE);
+ addEntry(path_a, true, "*/b", Privilege.JCR_REMOVE_NODE);
+ addEntry(path_a, true, "*/c/*", Privilege.JCR_REMOVE_NODE);
Session testSession = getTestSession();
- assertFalse(testSession.nodeExists(path));
- assertFalse(canGetNode(testSession, path));
- assertFalse(testSession.nodeExists(childNPath));
- assertFalse(canGetNode(testSession, childNPath));
- assertFalse(testSession.nodeExists(ccPath));
- assertFalse(canGetNode(testSession, ccPath));
- assertFalse(testSession.propertyExists(childNPath + '/' + JcrConstants.JCR_PRIMARYTYPE));
-
- Map<String, Value> emptyStringRestriction = new HashMap<String, Value>(getRestrictions(superuser, path));
- emptyStringRestriction.put(AccessControlConstants.P_GLOB.toString(), vf.createValue(""));
-
- givePrivileges(path, read, emptyStringRestriction);
- assertTrue(testSession.nodeExists(path));
- assertTrue(canGetNode(testSession, path));
- assertFalse(testSession.nodeExists(childNPath));
- assertFalse(canGetNode(testSession, childNPath));
- assertFalse(testSession.nodeExists(ccPath));
- assertFalse(canGetNode(testSession, ccPath));
- assertFalse(testSession.propertyExists(childNPath + '/' + JcrConstants.JCR_PRIMARYTYPE));
- }
-
- /**
- * @see <a href="https://issues.apache.org/jira/browse/OAK-2412">OAK-2412</a>
- */
- @Test
- public void testEmptyGlobRestriction3()throws Exception{
- Node child2 = superuser.getNode(path).addNode("child2");
- String childNPath2 = child2.getPath();
- superuser.save();
-
try {
- Group group1 = getTestGroup();
- Group group2 = getUserManager(superuser).createGroup("group2");
- group2.addMember(testUser);
- Group group3 = getUserManager(superuser).createGroup("group3");
- superuser.save();
-
- assertTrue(group1.isDeclaredMember(testUser));
- assertTrue(group2.isDeclaredMember(testUser));
- assertFalse(group3.isDeclaredMember(testUser));
-
- Privilege[] read = privilegesFromName(Privilege.JCR_READ);
-
- withdrawPrivileges(path, group1.getPrincipal(), read, Collections.EMPTY_MAP);
- Map<String, Value> emptyStringRestriction = new HashMap<String, Value>(getRestrictions(superuser, path));
- emptyStringRestriction.put(AccessControlConstants.P_GLOB.toString(), vf.createValue(""));
- givePrivileges(path, group1.getPrincipal(), read, emptyStringRestriction);
-
- withdrawPrivileges(childNPath, group2.getPrincipal(), read, Collections.EMPTY_MAP);
- emptyStringRestriction = new HashMap<String, Value>(getRestrictions(superuser, childNPath));
- emptyStringRestriction.put(AccessControlConstants.P_GLOB.toString(), vf.createValue(""));
- givePrivileges(childNPath, group2.getPrincipal(), read, emptyStringRestriction);
-
- withdrawPrivileges(childNPath2, group3.getPrincipal(), read, Collections.EMPTY_MAP);
- emptyStringRestriction = new HashMap<String, Value>(getRestrictions(superuser, childNPath2));
- emptyStringRestriction.put(AccessControlConstants.P_GLOB.toString(), vf.createValue(""));
- givePrivileges(childNPath2, group3.getPrincipal(), read, emptyStringRestriction);
-
- // NOTE: test-session is created here and is expected to reflect the
- // group membership changes made above.
- Session testSession = getTestSession();
- assertTrue(testSession.nodeExists(path));
- assertTrue(testSession.nodeExists(childNPath));
- assertFalse(testSession.nodeExists(childNPath2));
- } finally {
- Authorizable g2 = getUserManager(superuser).getAuthorizable("group2");
- if (g2 != null) {
- g2.remove();
- }
- Authorizable g3 = getUserManager(superuser).getAuthorizable("group3");
- if (g3 != null) {
- g3.remove();
- }
- superuser.save();
- }
- }
+ AccessControlManager acMgr = getAccessControlManager(testSession);
- private static boolean canGetNode(Session session, String nodePath) throws RepositoryException {
- try {
- session.getNode(nodePath);
- return true;
- } catch (PathNotFoundException e) {
- return false;
+ assertFalse("user should not have remove node on /a/b/c",
+ acMgr.hasPrivileges(path_c, AccessControlUtils.privilegesFromNames(acMgr, Privilege.JCR_REMOVE_NODE)));
+ assertTrue("user should have remove node on /a/b",
+ acMgr.hasPrivileges(path_b, AccessControlUtils.privilegesFromNames(acMgr, Privilege.JCR_REMOVE_NODE)));
+ assertTrue("user should have remove node on /a/b/c/d",
+ acMgr.hasPrivileges(path_d, AccessControlUtils.privilegesFromNames(acMgr, Privilege.JCR_REMOVE_NODE)));
+
+ // should be able to remove /a/b/c/d
+ testSession.getNode(path_d).remove();
+ testSession.save();
+
+ try {
+ testSession.getNode(path_c).remove();
+ testSession.save();
+ fail("removing node on /a/b/c should fail");
+ } catch (RepositoryException e) {
+ // all ok
+ }
+ } finally {
+ testSession.logout();
}
}
- public void testRemoveMixin() throws Exception {
- Node n = superuser.getNode(path);
-
- Privilege[] privileges = privilegesFromName(Privilege.JCR_READ);
-
- withdrawPrivileges(path, privileges, getRestrictions(superuser, path));
-
- assertTrue(n.hasNode("rep:policy"));
- assertTrue(n.isNodeType("rep:AccessControllable"));
-
- n.removeMixin("rep:AccessControllable");
-
- superuser.save();
- assertFalse(n.hasNode("rep:policy"));
- assertFalse(n.isNodeType("rep:AccessControllable"));
- }
}
\ No newline at end of file
Modified: jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/TestAll.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/TestAll.java?rev=1700513&r1=1700512&r2=1700513&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/TestAll.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/TestAll.java Tue Sep 1 12:07:31 2015
@@ -52,6 +52,7 @@ public class TestAll extends TestCase {
suite.addTestSuite(ACLEditorTest.class);
suite.addTestSuite(RepositoryOperationTest.class);
suite.addTestSuite(MoveTest.class);
+ suite.addTestSuite(RestrictionTest.class);
return suite;
}