You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@sling.apache.org by en...@apache.org on 2019/10/28 20:56:38 UTC

[sling-org-apache-sling-jcr-jackrabbit-accessmanager] branch master updated: SLING-8812 DeleteAce request should return a meaningful error message when an invalid principalId is submitted

This is an automated email from the ASF dual-hosted git repository.

enorman pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-jcr-jackrabbit-accessmanager.git


The following commit(s) were added to refs/heads/master by this push:
     new 3011525  SLING-8812 DeleteAce request should return a meaningful error message when an invalid principalId is submitted
3011525 is described below

commit 3011525cddd608d74537f8428ed7d408e7526be8
Author: Eric Norman <en...@apache.org>
AuthorDate: Mon Oct 28 13:56:28 2019 -0700

    SLING-8812 DeleteAce request should return a meaningful error message
    when an invalid principalId is submitted
---
 .../accessmanager/post/DeleteAcesServlet.java          | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/src/main/java/org/apache/sling/jcr/jackrabbit/accessmanager/post/DeleteAcesServlet.java b/src/main/java/org/apache/sling/jcr/jackrabbit/accessmanager/post/DeleteAcesServlet.java
index f58eceb..baac3ac 100644
--- a/src/main/java/org/apache/sling/jcr/jackrabbit/accessmanager/post/DeleteAcesServlet.java
+++ b/src/main/java/org/apache/sling/jcr/jackrabbit/accessmanager/post/DeleteAcesServlet.java
@@ -16,6 +16,7 @@
  */
 package org.apache.sling.jcr.jackrabbit.accessmanager.post;
 
+import java.security.Principal;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.HashSet;
@@ -31,6 +32,7 @@ import javax.jcr.security.AccessControlList;
 import javax.jcr.security.AccessControlManager;
 import javax.servlet.Servlet;
 
+import org.apache.jackrabbit.api.security.principal.PrincipalManager;
 import org.apache.sling.api.SlingHttpServletRequest;
 import org.apache.sling.api.resource.ResourceNotFoundException;
 import org.apache.sling.jcr.base.util.AccessControlUtil;
@@ -156,6 +158,22 @@ public class DeleteAcesServlet extends AbstractAccessPostServlet implements Dele
 			Set<String> pidSet = new HashSet<String>();
 			pidSet.addAll(Arrays.asList(principalNamesToDelete));
 
+			// validate that the submitted names are valid
+			Set<String> notFound = null;
+			PrincipalManager principalManager = AccessControlUtil.getPrincipalManager(jcrSession);
+			for (String pid : pidSet) {
+				Principal principal = principalManager.getPrincipal(pid);
+				if (principal == null) {
+					if (notFound == null) {
+						notFound = new HashSet<>();
+					}
+					notFound.add(pid);
+				}
+			}
+			if (notFound != null && !notFound.isEmpty()) {
+				throw new RepositoryException("Invalid principalId was submitted.");
+			}
+			
 			try {
 				AccessControlManager accessControlManager = AccessControlUtil.getAccessControlManager(jcrSession);
 				AccessControlList updatedAcl = getAccessControlListOrNull(accessControlManager, resourcePath, false);