You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sling.apache.org by en...@apache.org on 2019/10/28 20:56:38 UTC
[sling-org-apache-sling-jcr-jackrabbit-accessmanager] branch master
updated: SLING-8812 DeleteAce request should return a meaningful error
message when an invalid principalId is submitted
This is an automated email from the ASF dual-hosted git repository.
enorman pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-jcr-jackrabbit-accessmanager.git
The following commit(s) were added to refs/heads/master by this push:
new 3011525 SLING-8812 DeleteAce request should return a meaningful error message when an invalid principalId is submitted
3011525 is described below
commit 3011525cddd608d74537f8428ed7d408e7526be8
Author: Eric Norman <en...@apache.org>
AuthorDate: Mon Oct 28 13:56:28 2019 -0700
SLING-8812 DeleteAce request should return a meaningful error message
when an invalid principalId is submitted
---
.../accessmanager/post/DeleteAcesServlet.java | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/src/main/java/org/apache/sling/jcr/jackrabbit/accessmanager/post/DeleteAcesServlet.java b/src/main/java/org/apache/sling/jcr/jackrabbit/accessmanager/post/DeleteAcesServlet.java
index f58eceb..baac3ac 100644
--- a/src/main/java/org/apache/sling/jcr/jackrabbit/accessmanager/post/DeleteAcesServlet.java
+++ b/src/main/java/org/apache/sling/jcr/jackrabbit/accessmanager/post/DeleteAcesServlet.java
@@ -16,6 +16,7 @@
*/
package org.apache.sling.jcr.jackrabbit.accessmanager.post;
+import java.security.Principal;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashSet;
@@ -31,6 +32,7 @@ import javax.jcr.security.AccessControlList;
import javax.jcr.security.AccessControlManager;
import javax.servlet.Servlet;
+import org.apache.jackrabbit.api.security.principal.PrincipalManager;
import org.apache.sling.api.SlingHttpServletRequest;
import org.apache.sling.api.resource.ResourceNotFoundException;
import org.apache.sling.jcr.base.util.AccessControlUtil;
@@ -156,6 +158,22 @@ public class DeleteAcesServlet extends AbstractAccessPostServlet implements Dele
Set<String> pidSet = new HashSet<String>();
pidSet.addAll(Arrays.asList(principalNamesToDelete));
+ // validate that the submitted names are valid
+ Set<String> notFound = null;
+ PrincipalManager principalManager = AccessControlUtil.getPrincipalManager(jcrSession);
+ for (String pid : pidSet) {
+ Principal principal = principalManager.getPrincipal(pid);
+ if (principal == null) {
+ if (notFound == null) {
+ notFound = new HashSet<>();
+ }
+ notFound.add(pid);
+ }
+ }
+ if (notFound != null && !notFound.isEmpty()) {
+ throw new RepositoryException("Invalid principalId was submitted.");
+ }
+
try {
AccessControlManager accessControlManager = AccessControlUtil.getAccessControlManager(jcrSession);
AccessControlList updatedAcl = getAccessControlListOrNull(accessControlManager, resourcePath, false);