You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@jackrabbit.apache.org by "angela (JIRA)" <ji...@apache.org> on 2014/03/26 10:17:14 UTC
[jira] [Resolved] (JCR-3758) Adding 'deny' entry for Everyone
principal to a subnode does not deny access to that node for principals
defined on parent nodes
[ https://issues.apache.org/jira/browse/JCR-3758?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
angela resolved JCR-3758.
-------------------------
Resolution: Invalid
user principals always take precedence over group principals. so, in order to make your setup work as expected you either have to deny access to the user again or use group principals altogether (which is IMO better).
this is not a bug but works as designed.
> Adding 'deny' entry for Everyone principal to a subnode does not deny access to that node for principals defined on parent nodes
> --------------------------------------------------------------------------------------------------------------------------------
>
> Key: JCR-3758
> URL: https://issues.apache.org/jira/browse/JCR-3758
> Project: Jackrabbit Content Repository
> Issue Type: Bug
> Components: jackrabbit-core
> Reporter: Dave Heath
> Attachments: Test_JCR3758.java
>
>
> If I wanted to have a user principal with access to an nt:folder node /a1 but no access to the subnode at /a1/a2, I should be able to grant access to that user principal on /a1 with Privilege.JCR_ALL and then call AccessControlUtils.denyAllToEveryone on /a1/a2. However, granting access on /a1 grants access to all subnodes of /a1 unless access is explicitly denied for that particular user principal. Denying access to Everyone is only effective if the Everyone principal is the means by which the user is granted access.
> See the attached test case for an example of this behavior.
--
This message was sent by Atlassian JIRA
(v6.2#6252)