You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-dev@jackrabbit.apache.org by jorgeeflorez <jo...@gmail.com> on 2019/04/25 14:39:06 UTC
Retrieving permissions for user
Hello all,
I am giving maintenance to an application that uses Jackrabbit and Oak
(1.5.14). In that software someone wrote the following code to get all
permissions given to an user:
List<String> authPaths = new ArrayList<>();
permissionParent = "/jcr:system/rep:permissionStore/default/" +
principalName;
Node parent = session.getNode(permissionParent);
NodeIterator iter = parent.getNodes();
String path;
while (iter.hasNext()) {
Node current = iter.nextNode();
Property prop = current.getProperty("rep:accessControlledPath");
authPaths.add(prop.getString() );
}
this way in the user interface all paths are shown and when one is
selected, the privileges assigned can be shown.
The problem with this code, is that only works when it is executed by the
"admin" user (if I understood well, it is because the restricted access of
"/jcr:system/rep:permissionStore" as explained here
<https://jackrabbit.apache.org/oak/docs/security/permission/default.html>).
I need to display all paths with privileges assigned to an user, and I
think this is not possible using the methods described here
<https://jackrabbit.apache.org/oak/docs/security/accesscontrol/editing.html>,
because they receive a path as argument (maybe I am wrong). Is there a way
to achieve this (and that works for admin and all users with proper
permissions)?
Thanks in advance.
Best Regards.
Jorge Eduardo Flórez
Re: Retrieving permissions for user
Posted by jorgeeflorez <jo...@gmail.com>.
Hi Angela,
thank you for your reply, I will try as you say. Thanks again.
Jorge Eduardo Flórez
El jue., 25 abr. 2019 a las 9:53, Angela Schreiber
(<an...@adobe.com.invalid>) escribió:
> Hi Jorge
>
> The code you are describing relies on an implementation detail and you are
> right that it only works for administrative sessions. The reason for this
> is that using a different user to read from the permission store would
> essentially leak information that may not be accessible to that session.
>
> Also you have to keep in mind that this code only read information for one
> particular authorization model. If you Oak repository would for instance
> use more than one model, you would miss the effect the other would have.
>
> What you are probably looking for is
>
> AccessControlPolicy[] getEffectivePolicies(Set<Principal> principals)
>
> this one would show the effective policies for a given set of principal
> taking the access rights of the editing session into account. so, if a
> given Session would not be allowed to read the access control setup at a
> given node or for a given principal, this information will not leak.
>
> Hope that helps
> Angela
>
>
>
> ________________________________________
> From: jorgeeflorez <jo...@gmail.com>
> Sent: Thursday, April 25, 2019 4:39 PM
> To: oak-dev@jackrabbit.apache.org
> Subject: Retrieving permissions for user
>
> Hello all,
>
> I am giving maintenance to an application that uses Jackrabbit and Oak
> (1.5.14). In that software someone wrote the following code to get all
> permissions given to an user:
>
> List<String> authPaths = new ArrayList<>();
> permissionParent = "/jcr:system/rep:permissionStore/default/" +
> principalName;
>
> Node parent = session.getNode(permissionParent);
>
> NodeIterator iter = parent.getNodes();
> String path;
>
> while (iter.hasNext()) {
> Node current = iter.nextNode();
>
> Property prop = current.getProperty("rep:accessControlledPath");
>
> authPaths.add(prop.getString() );
> }
>
> this way in the user interface all paths are shown and when one is
> selected, the privileges assigned can be shown.
>
> The problem with this code, is that only works when it is executed by the
> "admin" user (if I understood well, it is because the restricted access of
> "/jcr:system/rep:permissionStore" as explained here
> <https://jackrabbit.apache.org/oak/docs/security/permission/default.html
> >).
> I need to display all paths with privileges assigned to an user, and I
> think this is not possible using the methods described here
> <
> https://jackrabbit.apache.org/oak/docs/security/accesscontrol/editing.html
> >,
> because they receive a path as argument (maybe I am wrong). Is there a way
> to achieve this (and that works for admin and all users with proper
> permissions)?
>
> Thanks in advance.
> Best Regards.
>
> Jorge Eduardo Flórez
>
Re: Retrieving permissions for user
Posted by Angela Schreiber <an...@adobe.com.INVALID>.
Hi Jorge
The code you are describing relies on an implementation detail and you are right that it only works for administrative sessions. The reason for this is that using a different user to read from the permission store would essentially leak information that may not be accessible to that session.
Also you have to keep in mind that this code only read information for one particular authorization model. If you Oak repository would for instance use more than one model, you would miss the effect the other would have.
What you are probably looking for is
AccessControlPolicy[] getEffectivePolicies(Set<Principal> principals)
this one would show the effective policies for a given set of principal taking the access rights of the editing session into account. so, if a given Session would not be allowed to read the access control setup at a given node or for a given principal, this information will not leak.
Hope that helps
Angela
________________________________________
From: jorgeeflorez <jo...@gmail.com>
Sent: Thursday, April 25, 2019 4:39 PM
To: oak-dev@jackrabbit.apache.org
Subject: Retrieving permissions for user
Hello all,
I am giving maintenance to an application that uses Jackrabbit and Oak
(1.5.14). In that software someone wrote the following code to get all
permissions given to an user:
List<String> authPaths = new ArrayList<>();
permissionParent = "/jcr:system/rep:permissionStore/default/" +
principalName;
Node parent = session.getNode(permissionParent);
NodeIterator iter = parent.getNodes();
String path;
while (iter.hasNext()) {
Node current = iter.nextNode();
Property prop = current.getProperty("rep:accessControlledPath");
authPaths.add(prop.getString() );
}
this way in the user interface all paths are shown and when one is
selected, the privileges assigned can be shown.
The problem with this code, is that only works when it is executed by the
"admin" user (if I understood well, it is because the restricted access of
"/jcr:system/rep:permissionStore" as explained here
<https://jackrabbit.apache.org/oak/docs/security/permission/default.html>).
I need to display all paths with privileges assigned to an user, and I
think this is not possible using the methods described here
<https://jackrabbit.apache.org/oak/docs/security/accesscontrol/editing.html>,
because they receive a path as argument (maybe I am wrong). Is there a way
to achieve this (and that works for admin and all users with proper
permissions)?
Thanks in advance.
Best Regards.
Jorge Eduardo Flórez
Re: Retrieving permissions for user
Posted by jorgeeflorez <jo...@gmail.com>.
Hi Julian,
thank you. Some days ago, I proposed changing to a more recent version.
Hopefully, they will approve it...
Best Regards,
Jorge
El vie., 26 de abr. de 2019 12:02 a. m., Julian Reschke <
julian.reschke@gmx.de> escribió:
> On 25.04.2019 16:39, jorgeeflorez wrote:
> > Hello all,
> >
> > I am giving maintenance to an application that uses Jackrabbit and Oak
> > (1.5.14). (...)
>
> FWIW, that's an unstable release. Don't use in production. See
> <http://jackrabbit.apache.org/jcr/downloads.html>.
>
> Best regards, Julian
>
Re: Retrieving permissions for user
Posted by Julian Reschke <ju...@gmx.de>.
On 25.04.2019 16:39, jorgeeflorez wrote:
> Hello all,
>
> I am giving maintenance to an application that uses Jackrabbit and Oak
> (1.5.14). (...)
FWIW, that's an unstable release. Don't use in production. See
<http://jackrabbit.apache.org/jcr/downloads.html>.
Best regards, Julian