You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-commits@jackrabbit.apache.org by an...@apache.org on 2014/01/14 18:30:57 UTC
svn commit: r1558120 - in /jackrabbit/oak/trunk:
oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/
oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/permission/
oak-jcr/ oak-jcr/src/test/java/...
Author: angela
Date: Tue Jan 14 17:30:57 2014
New Revision: 1558120
URL: http://svn.apache.org/r1558120
Log:
OAK-1223
Inconsistent entry filtering for ADD_NODE and REMOVE_NODE permission
Added:
jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/WriteRestrictionTest.java (with props)
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/EntryPredicate.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/permission/Permissions.java
jackrabbit/oak/trunk/oak-jcr/pom.xml
jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/SessionMoveTest.java
jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/WriteTest.java
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl.java?rev=1558120&r1=1558119&r2=1558120&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl.java Tue Jan 14 17:30:57 2014
@@ -236,7 +236,7 @@ final class CompiledPermissionImpl imple
@Override
public boolean isGranted(@Nonnull String path, long permissions) {
- Iterator<PermissionEntry> it = getEntryIterator(new EntryPredicate(path));
+ Iterator<PermissionEntry> it = getEntryIterator(new EntryPredicate(path, Permissions.respectParentPermissions(permissions)));
return hasPermissions(it, permissions, path);
}
@@ -253,7 +253,7 @@ final class CompiledPermissionImpl imple
//------------------------------------------------------------< private >---
private boolean internalIsGranted(@Nonnull Tree tree, @Nullable PropertyState property, long permissions) {
- Iterator<PermissionEntry> it = getEntryIterator(new EntryPredicate(tree, property));
+ Iterator<PermissionEntry> it = getEntryIterator(tree, property, permissions);
return hasPermissions(it, permissions, tree.getPath());
}
@@ -265,9 +265,7 @@ final class CompiledPermissionImpl imple
return false;
}
- boolean respectParent = (path != null) &&
- (Permissions.includes(permissions, Permissions.ADD_NODE) ||
- Permissions.includes(permissions, Permissions.REMOVE_NODE));
+ boolean respectParent = (path != null) && Permissions.respectParentPermissions(permissions);
long allows = (isReadable) ? Permissions.READ : Permissions.NO_PERMISSION;
long denies = Permissions.NO_PERMISSION;
@@ -349,7 +347,7 @@ final class CompiledPermissionImpl imple
private PrivilegeBits getPrivilegeBits(@Nullable Tree tree) {
EntryPredicate pred = (tree == null)
? new EntryPredicate()
- : new EntryPredicate(tree, null);
+ : new EntryPredicate(tree, null, false);
Iterator<PermissionEntry> entries = getEntryIterator(pred);
PrivilegeBits allowBits = PrivilegeBits.getInstance();
@@ -372,6 +370,11 @@ final class CompiledPermissionImpl imple
}
@Nonnull
+ private Iterator<PermissionEntry> getEntryIterator(@Nonnull Tree tree, @Nullable PropertyState property, long permissions) {
+ return getEntryIterator(new EntryPredicate(tree, property, Permissions.respectParentPermissions(permissions)));
+ }
+
+ @Nonnull
private Iterator<PermissionEntry> getEntryIterator(@Nonnull EntryPredicate predicate) {
Iterator<PermissionEntry> userEntries = userStore.getEntryIterator(predicate);
Iterator<PermissionEntry> groupEntries = groupStore.getEntryIterator(predicate);
@@ -456,7 +459,7 @@ final class CompiledPermissionImpl imple
long permission = (isAcTree) ? Permissions.READ_ACCESS_CONTROL : Permissions.READ_NODE;
PrivilegeBits requiredBits = READ_BITS.get(permission);
- Iterator<PermissionEntry> it = getIterator(null);
+ Iterator<PermissionEntry> it = getIterator(null, permission);
while (it.hasNext()) {
PermissionEntry entry = it.next();
if (entry.privilegeBits.includes(requiredBits)) {
@@ -481,7 +484,7 @@ final class CompiledPermissionImpl imple
}
long permission = (isAcTree) ? Permissions.READ_ACCESS_CONTROL : Permissions.READ_PROPERTY;
- Iterator<PermissionEntry> it = getIterator(property);
+ Iterator<PermissionEntry> it = getIterator(property, permission);
while (it.hasNext()) {
PermissionEntry entry = it.next();
if (entry.privilegeBits.includes(READ_BITS.get(permission))) {
@@ -505,17 +508,17 @@ final class CompiledPermissionImpl imple
@Override
public boolean isGranted(long permissions) {
- return hasPermissions(getIterator(null), permissions, tree.getPath());
+ return hasPermissions(getIterator(null, permissions), permissions, tree.getPath());
}
@Override
public boolean isGranted(long permissions, @Nonnull PropertyState property) {
- return hasPermissions(getIterator(property), permissions, tree.getPath());
+ return hasPermissions(getIterator(property, permissions), permissions, tree.getPath());
}
//--------------------------------------------------------< private >---
- private Iterator<PermissionEntry> getIterator(@Nullable PropertyState property) {
- EntryPredicate predicate = new EntryPredicate(tree, property);
+ private Iterator<PermissionEntry> getIterator(@Nullable PropertyState property, long permissions) {
+ EntryPredicate predicate = new EntryPredicate(tree, property, Permissions.respectParentPermissions(permissions));
return concat(new LazyIterator(this, true, predicate), new LazyIterator(this, false, predicate));
}
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/EntryPredicate.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/EntryPredicate.java?rev=1558120&r1=1558119&r2=1558120&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/EntryPredicate.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/EntryPredicate.java Tue Jan 14 17:30:57 2014
@@ -23,6 +23,7 @@ import javax.annotation.Nullable;
import com.google.common.base.Predicate;
import org.apache.jackrabbit.oak.api.PropertyState;
import org.apache.jackrabbit.oak.api.Tree;
+import org.apache.jackrabbit.oak.commons.PathUtils;
/**
* Predicate used to evaluation if a given {@code PermissionEntry} matches
@@ -34,22 +35,35 @@ final class EntryPredicate implements Pr
private final PropertyState property;
private final String path;
- public EntryPredicate(@Nonnull Tree tree, @Nullable PropertyState property) {
- this.tree = tree;
- this.property = property;
- this.path = tree.getPath();
+ private final String parentPath;
+ private final Tree parent;
+
+ public EntryPredicate(@Nonnull Tree tree, @Nullable PropertyState property,
+ boolean respectParent) {
+ this(tree, property, tree.getPath(), respectParent);
}
- public EntryPredicate(@Nonnull String path) {
- this.tree = null;
- this.property = null;
- this.path = path;
+ public EntryPredicate(@Nonnull String path, boolean respectParent) {
+ this(null, null, path, respectParent);
}
public EntryPredicate() {
- this.tree = null;
- this.property = null;
- this.path = null;
+ this(null, null, null, false);
+ }
+
+ private EntryPredicate(@Nullable Tree tree, @Nullable PropertyState property,
+ @Nullable String path, boolean respectParent) {
+ this.tree = tree;
+ this.property = property;
+ this.path = path;
+
+ if (respectParent) {
+ parentPath = (path == null || "/".equals(path)) ? null : PathUtils.getParentPath(path);
+ parent = (tree == null || tree.isRoot()) ? null : tree.getParent();
+ } else {
+ parentPath = null;
+ parent = null;
+ }
}
@CheckForNull
@@ -63,11 +77,21 @@ final class EntryPredicate implements Pr
return false;
}
if (tree != null) {
- return entry.matches(tree, property);
+ return entry.matches(tree, property) || applyToParent(entry);
} else if (path != null) {
- return entry.matches(path);
+ return entry.matches(path) || applyToParent(entry);
} else {
return entry.matches();
}
}
+
+ private boolean applyToParent(@Nonnull PermissionEntry entry) {
+ if (parent != null) {
+ return entry.matches(parent, null);
+ } else if (parentPath != null) {
+ return entry.matches(parentPath);
+ } else {
+ return false;
+ }
+ }
}
\ No newline at end of file
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/permission/Permissions.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/permission/Permissions.java?rev=1558120&r1=1558119&r2=1558120&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/permission/Permissions.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/permission/Permissions.java Tue Jan 14 17:30:57 2014
@@ -214,6 +214,11 @@ public final class Permissions {
return (permissions & permissionsToTest) == permissionsToTest;
}
+ public static boolean respectParentPermissions(long permissions) {
+ return Permissions.includes(permissions, Permissions.ADD_NODE) ||
+ Permissions.includes(permissions, Permissions.REMOVE_NODE);
+ }
+
/**
* Returns those bits from {@code permissions} that are not present in
* the {@code otherPermissions}, i.e. subtracts the other permissions
Modified: jackrabbit/oak/trunk/oak-jcr/pom.xml
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/pom.xml?rev=1558120&r1=1558119&r2=1558120&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-jcr/pom.xml (original)
+++ jackrabbit/oak/trunk/oak-jcr/pom.xml Tue Jan 14 17:30:57 2014
@@ -116,8 +116,6 @@
org.apache.jackrabbit.oak.jcr.security.authorization.CopyTest#testCopyInvisibleProperty <!-- OAK-920 -->
org.apache.jackrabbit.oak.jcr.security.authorization.CopyTest#testCopyInvisibleAcContent <!-- OAK-920 -->
- org.apache.jackrabbit.oak.jcr.security.authorization.SessionMoveTest#testMoveAddSubTreeWithRestriction <!-- OAK-1223 -->
-
<!-- Query -->
org.apache.jackrabbit.test.api.query.ElementTest#testElementTestNameTestSomeNTWithSNS <!-- OAK-203 -->
org.apache.jackrabbit.test.api.query.SaveTest#testItemExistsException <!-- OAK-203 -->
Modified: jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/SessionMoveTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/SessionMoveTest.java?rev=1558120&r1=1558119&r2=1558120&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/SessionMoveTest.java (original)
+++ jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/SessionMoveTest.java Tue Jan 14 17:30:57 2014
@@ -25,7 +25,6 @@ import javax.jcr.security.Privilege;
import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants;
import org.apache.jackrabbit.util.Text;
-import org.junit.Ignore;
import org.junit.Test;
/**
@@ -141,6 +140,29 @@ public class SessionMoveTest extends Abs
}
@Test
+ public void testMoveRemoveSubTreeWithRestriction2() throws Exception {
+ /* allow READ/WRITE privilege for testUser at 'path' */
+ allow(path, testUser.getPrincipal(), readWritePrivileges);
+ /* deny REMOVE_NODE privileges at subtree. */
+ deny(path, privilegesFromName(PrivilegeConstants.JCR_REMOVE_CHILD_NODES), createGlobRestriction("*/" + Text.getName(childNPath)));
+
+ assertTrue(testSession.nodeExists(childNPath));
+ assertTrue(testSession.hasPermission(childNPath, Session.ACTION_REMOVE));
+ assertTrue(testSession.hasPermission(childNPath2, Session.ACTION_ADD_NODE));
+
+ testSession.move(childNPath, childNPath2 + "/dest");
+ Node dest = testSession.getNode(childNPath2 + "/dest");
+ dest.getNode(nodeName3).remove();
+
+ try {
+ testSession.save();
+ fail("Removing child node must be denied.");
+ } catch (AccessDeniedException e) {
+ // success
+ }
+ }
+
+ @Test
public void testMoveAndAddSubTree() throws Exception {
allow(path, privilegesFromName(Privilege.JCR_REMOVE_CHILD_NODES));
allow(childNPath, privilegesFromName(Privilege.JCR_REMOVE_NODE));
@@ -199,7 +221,6 @@ public class SessionMoveTest extends Abs
testSession.save();
}
- @Ignore("OAK-1223") // FIXME: OAK-1223
@Test
public void testMoveAddSubTreeWithRestriction() throws Exception {
/* allow READ/WRITE privilege for testUser at 'path' */
Added: jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/WriteRestrictionTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/WriteRestrictionTest.java?rev=1558120&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/WriteRestrictionTest.java (added)
+++ jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/WriteRestrictionTest.java Tue Jan 14 17:30:57 2014
@@ -0,0 +1,167 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.jcr.security.authorization;
+
+import javax.jcr.AccessDeniedException;
+import javax.jcr.Node;
+import javax.jcr.Session;
+import javax.jcr.security.Privilege;
+
+import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants;
+import org.apache.jackrabbit.test.api.util.Text;
+import org.junit.Before;
+import org.junit.Test;
+
+/**
+ * WriteRestrictionTest: tests add and remove node in combination with glob restrictions.
+ */
+public class WriteRestrictionTest extends AbstractEvaluationTest {
+
+ private String nodePath3;
+
+ @Override
+ @Before
+ protected void setUp() throws Exception {
+ super.setUp();
+
+ Node node3 = superuser.getNode(childNPath).addNode(nodeName3);
+ nodePath3 = node3.getPath();
+ superuser.save();
+ testSession.refresh(false);
+ }
+
+ @Test
+ public void testGlobRestriction() throws Exception {
+ String writeActions = getActions(Session.ACTION_ADD_NODE, Session.ACTION_REMOVE, Session.ACTION_SET_PROPERTY);
+
+ // permissions defined @ path
+ // restriction: grants write priv to all nodeName3 children
+ allow(path, repWritePrivileges, createGlobRestriction("/*"+nodeName3));
+
+ assertFalse(testAcMgr.hasPrivileges(path, repWritePrivileges));
+ assertFalse(testSession.hasPermission(path, javax.jcr.Session.ACTION_SET_PROPERTY));
+
+ assertFalse(testAcMgr.hasPrivileges(childNPath, repWritePrivileges));
+ assertFalse(testSession.hasPermission(childNPath, javax.jcr.Session.ACTION_SET_PROPERTY));
+
+ assertTrue(testAcMgr.hasPrivileges(childNPath2, repWritePrivileges));
+ assertTrue(testSession.hasPermission(childNPath2, Session.ACTION_SET_PROPERTY));
+ assertFalse(testSession.hasPermission(childNPath2, writeActions)); // removal req. rmchildnode privilege on parent.
+
+ assertTrue(testAcMgr.hasPrivileges(nodePath3, repWritePrivileges));
+ }
+
+ @Test
+ public void testGlobRestriction2() throws Exception {
+
+ Privilege[] addNode = privilegesFromName(Privilege.JCR_ADD_CHILD_NODES);
+ Privilege[] rmNode = privilegesFromName(Privilege.JCR_REMOVE_NODE);
+
+ // permissions defined @ path
+ // restriction: grants write-priv to nodeName3 grand-children but not direct nodeName3 children.
+ allow(path, repWritePrivileges, createGlobRestriction("/*/"+nodeName3));
+
+ assertFalse(testAcMgr.hasPrivileges(path, repWritePrivileges));
+ assertFalse(testAcMgr.hasPrivileges(path, rmNode));
+ assertFalse(testAcMgr.hasPrivileges(childNPath, addNode));
+ assertFalse(testAcMgr.hasPrivileges(childNPath2, repWritePrivileges));
+ assertTrue(testAcMgr.hasPrivileges(nodePath3, repWritePrivileges));
+ }
+
+ @Test
+ public void testGlobRestriction3() throws Exception {
+ Privilege[] addNode = privilegesFromName(Privilege.JCR_ADD_CHILD_NODES);
+
+ // permissions defined @ path
+ // restriction: allows write to nodeName3 children
+ allow(path, repWritePrivileges, createGlobRestriction("/*/"+nodeName3));
+ // and grant add-node only at path (no glob restriction)
+ allow(path, addNode);
+
+ assertFalse(testAcMgr.hasPrivileges(path, repWritePrivileges));
+ assertTrue(testAcMgr.hasPrivileges(path, addNode));
+
+ assertFalse(testAcMgr.hasPrivileges(childNPath, repWritePrivileges));
+ assertTrue(testAcMgr.hasPrivileges(childNPath, addNode));
+
+ assertFalse(testAcMgr.hasPrivileges(childNPath2, repWritePrivileges));
+ assertTrue(testAcMgr.hasPrivileges(nodePath3, repWritePrivileges));
+ }
+
+ @Test
+ public void testGlobRestriction4() throws Exception {
+ Privilege[] addNode = privilegesFromName(Privilege.JCR_ADD_CHILD_NODES);
+
+ allow(path, repWritePrivileges, createGlobRestriction("/*"+nodeName3));
+ deny(childNPath2, addNode);
+
+ assertFalse(testAcMgr.hasPrivileges(path, repWritePrivileges));
+ assertFalse(testSession.hasPermission(path, javax.jcr.Session.ACTION_REMOVE));
+ assertFalse(testAcMgr.hasPrivileges(childNPath, repWritePrivileges));
+ assertFalse(testSession.hasPermission(childNPath, javax.jcr.Session.ACTION_REMOVE));
+ assertFalse(testAcMgr.hasPrivileges(childNPath2, repWritePrivileges));
+ assertTrue(testAcMgr.hasPrivileges(nodePath3, repWritePrivileges));
+ }
+
+ @Test
+ public void testRemoveSubTreeWithRestriction() throws Exception {
+ /* allow READ/WRITE privilege for testUser at 'path' */
+ allow(path, testUser.getPrincipal(), readWritePrivileges);
+ /* deny REMOVE_NODE privileges at subtree. */
+ deny(path, privilegesFromName(PrivilegeConstants.JCR_REMOVE_NODE), createGlobRestriction("*/" + nodeName3));
+
+ testSession.getNode(childNPath).getNode(nodeName3).remove();
+ try {
+ testSession.save();
+ fail("Removing child node must be denied.");
+ } catch (AccessDeniedException e) {
+ // success
+ }
+ }
+
+ @Test
+ public void testRemoveSubTreeWithRestriction2() throws Exception {
+ /* allow READ/WRITE privilege for testUser at 'path' */
+ allow(path, testUser.getPrincipal(), readWritePrivileges);
+ /* deny REMOVE_NODE privileges at subtree. */
+ deny(path, privilegesFromName(PrivilegeConstants.JCR_REMOVE_CHILD_NODES), createGlobRestriction("*/" + Text.getName(childNPath)));
+
+ testSession.getNode(childNPath).getNode(nodeName3).remove();
+ try {
+ testSession.save();
+ fail("Removing child node must be denied.");
+ } catch (AccessDeniedException e) {
+ // success
+ }
+ }
+
+ @Test
+ public void testAddSubTreeWithRestriction() throws Exception {
+ /* allow READ/WRITE privilege for testUser at 'path' */
+ allow(path, testUser.getPrincipal(), readWritePrivileges);
+ /* deny ADD_CHILD_NODES privileges at subtree. */
+ deny(path, privilegesFromName(PrivilegeConstants.JCR_ADD_CHILD_NODES), createGlobRestriction("*/"+nodeName3));
+
+ Node node4 = testSession.getNode(nodePath3).addNode(nodeName4);
+ try {
+ testSession.save();
+ fail("Adding child node must be denied.");
+ } catch (AccessDeniedException e) {
+ // success
+ }
+ }
+}
\ No newline at end of file
Propchange: jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/WriteRestrictionTest.java
------------------------------------------------------------------------------
svn:eol-style = native
Modified: jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/WriteTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/WriteTest.java?rev=1558120&r1=1558119&r2=1558120&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/WriteTest.java (original)
+++ jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/WriteTest.java Tue Jan 14 17:30:57 2014
@@ -519,94 +519,6 @@ public class WriteTest extends AbstractE
}
@Test
- public void testGlobRestriction() throws Exception {
- Node child = superuser.getNode(childNPath).addNode(nodeName3);
- superuser.save();
- String childchildPath = child.getPath();
-
- String writeActions = getActions(Session.ACTION_ADD_NODE, Session.ACTION_REMOVE, Session.ACTION_SET_PROPERTY);
-
- // permissions defined @ path
- // restriction: grants write priv to all nodeName3 children
- allow(path, repWritePrivileges, createGlobRestriction("/*"+nodeName3));
-
- assertFalse(testAcMgr.hasPrivileges(path, repWritePrivileges));
- assertFalse(testSession.hasPermission(path, javax.jcr.Session.ACTION_SET_PROPERTY));
-
- assertFalse(testAcMgr.hasPrivileges(childNPath, repWritePrivileges));
- assertFalse(testSession.hasPermission(childNPath, javax.jcr.Session.ACTION_SET_PROPERTY));
-
- assertTrue(testAcMgr.hasPrivileges(childNPath2, repWritePrivileges));
- assertTrue(testSession.hasPermission(childNPath2, Session.ACTION_SET_PROPERTY));
- assertFalse(testSession.hasPermission(childNPath2, writeActions)); // removal req. rmchildnode privilege on parent.
-
- assertTrue(testAcMgr.hasPrivileges(childchildPath, repWritePrivileges));
- }
-
- @Test
- public void testGlobRestriction2() throws Exception {
- Node child = superuser.getNode(childNPath).addNode(nodeName3);
- superuser.save();
- String childchildPath = child.getPath();
-
- Privilege[] addNode = privilegesFromName(Privilege.JCR_ADD_CHILD_NODES);
- Privilege[] rmNode = privilegesFromName(Privilege.JCR_REMOVE_NODE);
-
- // permissions defined @ path
- // restriction: grants write-priv to nodeName3 grand-children but not direct nodeName3 children.
- allow(path, repWritePrivileges, createGlobRestriction("/*/"+nodeName3));
-
- assertFalse(testAcMgr.hasPrivileges(path, repWritePrivileges));
- assertFalse(testAcMgr.hasPrivileges(path, rmNode));
- assertFalse(testAcMgr.hasPrivileges(childNPath, addNode));
- assertFalse(testAcMgr.hasPrivileges(childNPath2, repWritePrivileges));
- assertTrue(testAcMgr.hasPrivileges(childchildPath, repWritePrivileges));
- }
-
- @Test
- public void testGlobRestriction3() throws Exception {
- Node child = superuser.getNode(childNPath).addNode(nodeName3);
- superuser.save();
- String childchildPath = child.getPath();
-
- Privilege[] addNode = privilegesFromName(Privilege.JCR_ADD_CHILD_NODES);
-
- // permissions defined @ path
- // restriction: allows write to nodeName3 children
- allow(path, repWritePrivileges, createGlobRestriction("/*/"+nodeName3));
- // and grant add-node only at path (no glob restriction)
- allow(path, addNode);
-
- assertFalse(testAcMgr.hasPrivileges(path, repWritePrivileges));
- assertTrue(testAcMgr.hasPrivileges(path, addNode));
-
- assertFalse(testAcMgr.hasPrivileges(childNPath, repWritePrivileges));
- assertTrue(testAcMgr.hasPrivileges(childNPath, addNode));
-
- assertFalse(testAcMgr.hasPrivileges(childNPath2, repWritePrivileges));
- assertTrue(testAcMgr.hasPrivileges(childchildPath, repWritePrivileges));
- }
-
- @Test
- public void testGlobRestriction4() throws Exception {
- Node child = superuser.getNode(childNPath).addNode(nodeName3);
- superuser.save();
- String childchildPath = child.getPath();
-
- Privilege[] addNode = privilegesFromName(Privilege.JCR_ADD_CHILD_NODES);
-
- allow(path, repWritePrivileges, createGlobRestriction("/*"+nodeName3));
- deny(childNPath2, addNode);
-
- assertFalse(testAcMgr.hasPrivileges(path, repWritePrivileges));
- assertFalse(testSession.hasPermission(path, javax.jcr.Session.ACTION_REMOVE));
- assertFalse(testAcMgr.hasPrivileges(childNPath, repWritePrivileges));
- assertFalse(testSession.hasPermission(childNPath, javax.jcr.Session.ACTION_REMOVE));
- assertFalse(testAcMgr.hasPrivileges(childNPath2, repWritePrivileges));
- assertTrue(testAcMgr.hasPrivileges(childchildPath, repWritePrivileges));
- }
-
- @Test
public void testWriteIfReadingParentIsDenied() throws Exception {
/* deny READ/WRITE privilege for testUser at 'path' */
deny(path, testUser.getPrincipal(), readWritePrivileges);