You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-commits@jackrabbit.apache.org by an...@apache.org on 2019/10/10 08:18:26 UTC
svn commit: r1868229 - in /jackrabbit/oak/trunk/oak-core/src:
main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/
test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/
Author: angela
Date: Thu Oct 10 08:18:26 2019
New Revision: 1868229
URL: http://svn.apache.org/viewvc?rev=1868229&view=rev
Log:
OAK-8689 : AccessControlManager.getEffectivePolicies doesn't include ReadPolicy for subtrees
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImpl.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ReadPolicyTest.java
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImpl.java?rev=1868229&r1=1868228&r2=1868229&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImpl.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImpl.java Thu Oct 10 08:18:26 2019
@@ -167,12 +167,27 @@ public class AccessControlManagerImpl ex
parentPath = (PathUtils.denotesRoot(parentPath)) ? "" : Text.getRelativeParent(parentPath, 1);
}
}
- if (readPaths.contains(oakPath)) {
+ if (isEffectiveReadPath(oakPath)) {
effective.add(ReadPolicy.INSTANCE);
}
return effective.toArray(new AccessControlPolicy[0]);
}
+ private boolean isEffectiveReadPath(@Nullable String oakPath) {
+ if (oakPath == null) {
+ return false;
+ }
+ if (readPaths.contains(oakPath)) {
+ return true;
+ }
+ for (String rp : readPaths) {
+ if (Text.isDescendant(rp, oakPath)) {
+ return true;
+ }
+ }
+ return false;
+ }
+
@NotNull
@Override
public AccessControlPolicyIterator getApplicablePolicies(@Nullable String absPath) throws RepositoryException {
Modified: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ReadPolicyTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ReadPolicyTest.java?rev=1868229&r1=1868228&r2=1868229&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ReadPolicyTest.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ReadPolicyTest.java Thu Oct 10 08:18:26 2019
@@ -80,11 +80,37 @@ public class ReadPolicyTest extends Abst
}
@Test
+ public void tsetGetPoliciesInSubtrees() throws Exception {
+ for (String path : subTreePaths) {
+ for (AccessControlPolicy policy : getAccessControlManager(root).getPolicies(path)) {
+ if (policy instanceof ReadPolicy) {
+ fail("ReadPolicy must only be bound to configured path.");
+ }
+ }
+ }
+ }
+
+ @Test
public void testGetEffectivePolicies() throws Exception {
for (String path : readPaths) {
AccessControlPolicy[] policies = getAccessControlManager(root).getEffectivePolicies(path);
boolean found = false;
for (AccessControlPolicy policy : policies) {
+ if (policy instanceof ReadPolicy) {
+ found = true;
+ break;
+ }
+ }
+ assertTrue(found);
+ }
+ }
+
+ @Test
+ public void testGetEffectivePoliciesInSubTrees() throws Exception {
+ for (String path : subTreePaths) {
+ AccessControlPolicy[] policies = getAccessControlManager(root).getEffectivePolicies(path);
+ boolean found = false;
+ for (AccessControlPolicy policy : policies) {
if (policy instanceof ReadPolicy) {
found = true;
break;