You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@jackrabbit.apache.org by an...@apache.org on 2009/11/05 23:08:24 UTC
svn commit: r833210 - in /jackrabbit/trunk/jackrabbit-core/src:
main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLProvider.java
test/java/org/apache/jackrabbit/core/security/authorization/acl/WriteTest.java
Author: angela
Date: Thu Nov 5 22:08:24 2009
New Revision: 833210
URL: http://svn.apache.org/viewvc?rev=833210&view=rev
Log:
JCR-2386 - wrong eval order of access control entries within a single node
Modified:
jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLProvider.java
jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/WriteTest.java
Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLProvider.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLProvider.java?rev=833210&r1=833209&r2=833210&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLProvider.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLProvider.java Thu Nov 5 22:08:24 2009
@@ -581,6 +581,10 @@
PrincipalManager principalMgr = sImpl.getPrincipalManager();
AccessControlManager acMgr = sImpl.getAccessControlManager();
+ // first collect aces present on the given aclNode.
+ List<AccessControlEntry> gaces = new ArrayList<AccessControlEntry>();
+ List<AccessControlEntry> uaces = new ArrayList<AccessControlEntry>();
+
NodeIterator itr = aclNode.getNodes();
while (itr.hasNext()) {
NodeImpl aceNode = (NodeImpl) itr.nextNode();
@@ -605,13 +609,26 @@
aceNode.isNodeType(AccessControlConstants.NT_REP_GRANT_ACE),
sImpl.getValueFactory());
// add it to the proper list (e.g. separated by principals)
+ /**
+ * NOTE: access control entries must be collected in reverse
+ * order in order to assert proper evaluation.
+ */
if (princ instanceof Group) {
- groupAces.add(ace);
+ gaces.add(0, ace);
} else {
- userAces.add(ace);
+ uaces.add(0, ace);
}
}
}
+
+ // add the lists of aces to the overall lists that contain the entries
+ // throughout the hierarchy.
+ if (!gaces.isEmpty()) {
+ groupAces.addAll(gaces);
+ }
+ if (!uaces.isEmpty()) {
+ userAces.addAll(uaces);
+ }
}
private Iterator<AccessControlEntry> iterator() {
Modified: jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/WriteTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/WriteTest.java?rev=833210&r1=833209&r2=833210&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/WriteTest.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/WriteTest.java Thu Nov 5 22:08:24 2009
@@ -18,11 +18,13 @@
import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
import org.apache.jackrabbit.api.security.user.Group;
+import org.apache.jackrabbit.api.security.user.UserManager;
import org.apache.jackrabbit.core.SessionImpl;
import org.apache.jackrabbit.core.security.authorization.AbstractWriteTest;
import org.apache.jackrabbit.core.security.authorization.AccessControlConstants;
import org.apache.jackrabbit.core.security.authorization.PrivilegeRegistry;
import org.apache.jackrabbit.core.security.principal.EveryonePrincipal;
+import org.apache.jackrabbit.core.security.TestPrincipal;
import org.apache.jackrabbit.test.NotExecutableException;
import javax.jcr.AccessDeniedException;
@@ -37,6 +39,7 @@
import java.security.Principal;
import java.util.Collections;
import java.util.Map;
+import java.util.UUID;
/**
* <code>EvaluationTest</code>...
@@ -263,4 +266,76 @@
// result at 'child path' must be deny
assertFalse(testAcMgr.hasPrivileges(childNPath, privilegesFromName(Privilege.JCR_MODIFY_PROPERTIES)));
}
+
+ public void testMultipleGroupPermissionsOnNode() throws NotExecutableException, RepositoryException {
+ Group testGroup = getTestGroup();
+
+ /* create a second group the test user is member of */
+ Principal principal = new TestPrincipal("testGroup" + UUID.randomUUID());
+ UserManager umgr = getUserManager(superuser);
+ Group group2 = umgr.createGroup(principal);
+ try {
+ group2.addMember(testUser);
+ if (!umgr.isAutoSave() && superuser.hasPendingChanges()) {
+ superuser.save();
+ }
+
+ /* add privileges for the Group the test-user is member of */
+ Privilege[] privileges = privilegesFromName(Privilege.JCR_MODIFY_PROPERTIES);
+ givePrivileges(path, testGroup.getPrincipal(), privileges, getRestrictions(superuser, path));
+
+ withdrawPrivileges(path, group2.getPrincipal(), privileges, getRestrictions(superuser, path));
+
+ /*
+ testuser must get the permissions/privileges inherited from
+ the group it is member of.
+ the denial of group2 must succeed
+ */
+ String actions = javax.jcr.Session.ACTION_SET_PROPERTY + "," + javax.jcr.Session.ACTION_READ;
+
+ AccessControlManager testAcMgr = getTestACManager();
+
+ assertFalse(getTestSession().hasPermission(path, actions));
+ Privilege[] privs = privilegesFromName(Privilege.JCR_MODIFY_PROPERTIES);
+ assertFalse(testAcMgr.hasPrivileges(path, privs));
+ } finally {
+ group2.remove();
+ }
+ }
+
+ public void testMultipleGroupPermissionsOnNode2() throws NotExecutableException, RepositoryException {
+ Group testGroup = getTestGroup();
+
+ /* create a second group the test user is member of */
+ Principal principal = new TestPrincipal("testGroup" + UUID.randomUUID());
+ UserManager umgr = getUserManager(superuser);
+ Group group2 = umgr.createGroup(principal);
+
+ try {
+ group2.addMember(testUser);
+ if (!umgr.isAutoSave() && superuser.hasPendingChanges()) {
+ superuser.save();
+ }
+
+ /* add privileges for the Group the test-user is member of */
+ Privilege[] privileges = privilegesFromName(Privilege.JCR_MODIFY_PROPERTIES);
+ withdrawPrivileges(path, testGroup.getPrincipal(), privileges, getRestrictions(superuser, path));
+
+ givePrivileges(path, group2.getPrincipal(), privileges, getRestrictions(superuser, path));
+
+ /*
+ testuser must get the permissions/privileges inherited from
+ the group it is member of.
+ the denial of group2 must succeed
+ */
+ String actions = javax.jcr.Session.ACTION_SET_PROPERTY + "," + javax.jcr.Session.ACTION_READ;
+
+ AccessControlManager testAcMgr = getTestACManager();
+ assertTrue(getTestSession().hasPermission(path, actions));
+ Privilege[] privs = privilegesFromName(Privilege.JCR_MODIFY_PROPERTIES);
+ assertTrue(testAcMgr.hasPrivileges(path, privs));
+ } finally {
+ group2.remove();
+ }
+ }
}
\ No newline at end of file