[JCR-3966] AccessControlUtils should not depend on ability to read other users - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Closed
Priority: Major
Resolution: Invalid
Affects Version/s: 2.12.1
Fix Version/s: None
Component/s: jackrabbit-jcr-commons
Labels:
None

Description

Most methods in AccessControlUtils - while taking the principal name as argument - always fetch the principal via the jackrabbit PrincipalManager.

This (at least in Oak) requires the user to have read access on the user behind the principal, otherwise it returns null and an NPE is thrown and no ACs are set.

Setting an AC however does not (and should not) require access to the complete user, and can be done by implementing the principal on the spot:

new JackrabbitPrincipal() {
    @Override
    public String getName() {
        return principalName;
    }
};

This uses the JackrabbitPrincipal as the PrincipalImpl in Oak casts to this one for the equality test.

Filevault does the same.

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Alexander Klimetschek

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 13/Apr/16 00:52

Updated:: 14/Apr/16 18:00

Resolved:: 14/Apr/16 14:30