Description
Currently the AdminPermissionChecker only evaluates the session-bound user id in https://github.com/kwin/jackrabbit-filevault/blob/49e3c2179c18e0552e49b0671843d85d045ebf48/vault-core/src/main/java/org/apache/jackrabbit/vault/packaging/impl/AdminPermissionChecker.java#L54. This does not work well with principal based login (like with Sling Service Authentication) as in general only the first principal is returned (in case it is backed by a real JCR user). Instead one should leverage org.apache.jackrabbit.api.security.principal.PrincipalManager to retrieve all principals bound to the session and check that at least one is the administrator.
Attachments
Attachments
Issue Links
- causes
-
OAK-9415 Allow access to all principals bound to the current session
-
- Closed
-
- relates to
-
JCRVLT-427 Allow installation of packages with hook for users without admin privileges
-
- Closed
-
- links to