You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-issues@jackrabbit.apache.org by "Julian Sedding (JIRA)" <ji...@apache.org> on 2017/03/20 13:54:41 UTC

[jira] [Updated] (OAK-5947) Allowing non-admin user to set repository permissions fails

     [ https://issues.apache.org/jira/browse/OAK-5947?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Julian Sedding updated OAK-5947:
--------------------------------
    Attachment: SetRepoPolicyTest.patch

Attached is a [patch with a test case|^SetRepoPolicyTest.patch].

[~anchela], could you please take a look

1. to see if my code is correct and should work
2. (assuming the test is correct) if you can identify the root cause

I debugged the issue and I am under the impression that a {{SecureNodeBuilder}} causes reads and writes to {{/rep:repoPolicy}} to be handled like normal repository reads/writes. However, adding an ACEs there should not require such privileges.

PS: please excuse and correct in case I got some of the security terminology wrong.

> Allowing non-admin user to set repository permissions fails
> -----------------------------------------------------------
>
>                 Key: OAK-5947
>                 URL: https://issues.apache.org/jira/browse/OAK-5947
>             Project: Jackrabbit Oak
>          Issue Type: Bug
>          Components: jcr, security
>    Affects Versions: 1.6.1
>            Reporter: Julian Sedding
>         Attachments: SetRepoPolicyTest.patch
>
>
> Given a user principal {{testUser}} is granted {{jcr:readAccessControl}} and {{jcr:modifyAccessControl}} on the repository ({{rep:repoPolicy}}), I would expect that this user can e.g. allow {{everyone}} the {{jcr:namespaceManagement}} permission on the repository.
> Currently this fails with the following exception:
> {noformat}
> javax.jcr.AccessDeniedException
> 	at org.apache.jackrabbit.oak.util.NodeUtil.addChild(NodeUtil.java:113)
> 	at org.apache.jackrabbit.oak.security.authorization.accesscontrol.AccessControlManagerImpl.setNodeBasedAcl(AccessControlManagerImpl.java:289)
> 	at org.apache.jackrabbit.oak.security.authorization.accesscontrol.AccessControlManagerImpl.setPolicy(AccessControlManagerImpl.java:220)
> 	at org.apache.jackrabbit.oak.jcr.delegate.AccessControlManagerDelegator$8.performVoid(AccessControlManagerDelegator.java:132)
> 	at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.performVoid(SessionDelegate.java:274)
> 	at org.apache.jackrabbit.oak.jcr.delegate.AccessControlManagerDelegator.setPolicy(AccessControlManagerDelegator.java:129)
> 	at org.apache.jackrabbit.oak.jcr.delegate.JackrabbitAccessControlManagerDelegator.setPolicy(JackrabbitAccessControlManagerDelegator.java:152)
> 	at org.apache.jackrabbit.oak.jcr.SetRepoPolicyPermissionsTest.setRepositoryPermissions(SetRepoPolicyPermissionsTest.java:82)
> {noformat}



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)