You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sling.apache.org by "ASF GitHub Bot (JIRA)" <ji...@apache.org> on 2016/06/09 04:41:21 UTC

[jira] [Commented] (SLING-5768) Introduce rep:slingResourceTypes as extension to Oak permission system

    [ https://issues.apache.org/jira/browse/SLING-5768?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15321870#comment-15321870 ] 

ASF GitHub Bot commented on SLING-5768:
---------------------------------------

GitHub user ghenzler opened a pull request:

    https://github.com/apache/sling/pull/145

    SLING-5768 Introduce rep:slingResourceTypes

    Introduce rep:slingResourceTypes as extension to Oak permission system

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/ghenzler/sling feature/SLING-5768-oak-restriction-for-resourcetype

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/sling/pull/145.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #145
    
----
commit 93f06a04a85dad36623881a7b5d7056c1f1f8693
Author: georg.henzler <ge...@netcentric.biz>
Date:   2016-06-09T04:35:29Z

    SLING-5768 Introduce rep:slingResourceTypes as extension to Oak
    permission system

----


> Introduce rep:slingResourceTypes as extension to Oak permission system
> ----------------------------------------------------------------------
>
>                 Key: SLING-5768
>                 URL: https://issues.apache.org/jira/browse/SLING-5768
>             Project: Sling
>          Issue Type: New Feature
>          Components: Extensions
>            Reporter: Georg Henzler
>
> Oak allows to extend its permissions management by using custom restrictions \[1], also the standard oak restrictions are based on this and are implemented in a fairly straight-forward way \[2] (example is for rep:ntNames). 
> It would be nice to have sling level restrictions using sling properties in general. This issue is about introducing a restriction on resource types - the following should be possible:
> {code}
> - /content/mynode 
>    - rep:policy (rep:ACL)
>      - allow (rep:GrantACE)
>        + principalName (String) = "myAuthorizable"
>        + rep:privileges (Name[]) = "rep:write"
>        - rep:restrictions (rep:Restrictions)
>           + 	rep:slingResourceTypes (String[]) = [myproj/resourcetype1,myproj/resourcetype2]
> {code}
> The example would only grant "rep:write" for the resource types myproj/resourcetype1 and myproj/resourcetype2 in path /content/mynode, other resources under path /content/mynode would not have "rep:write" permissions. 
> See github PR for a first simple implementation (adding a bundle org.apache.sling.sling-oak-restrictions to contributions, not sure if this is the best spot). 
> \[1]
> https://jackrabbit.apache.org/oak/docs/security/authorization/restriction.html#Pluggability
> \[2]
> https://github.com/apache/jackrabbit-oak/blob/cea167f5bf70d818d58b1ffcc6bc65b3c0f9a5a4/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/NodeTypePattern.java#L50)
> https://github.com/apache/jackrabbit-oak/blob/cea167f5bf70d818d58b1ffcc6bc65b3c0f9a5a4/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionProviderImpl.java



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)