Uploaded image for project: 'Jackrabbit FileVault'
  1. Jackrabbit FileVault
  2. JCRVLT-94

[AccessControlHandling] Unexpected behavior of acHandling 'merge'

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 3.1.18
    • 3.1.24
    • vlt
    • None

    Description

      As per the document [0], the AccessControlHandling for 'merge' should be merging access control provided with the package with the one in the content by replacing the access control entries of corresponding principals (i.e. package first).
      This means if the package contains ACEs for a principal P, it should remove all the ACEs for that principal in the content and add the ones in the package.

      However, I am not seeing this expected behavior. The behavior I am seeing is as follows:
      ‘merge’ - Merges access control in the content with the one provided with the package by adding the access control entries of principals not present in the content but not removing the ones not present in the package.

      So for instance ACLs “jcr:read,jcr:versionManagement,rep:write” to forms-users exists in CRX at ‘/content/apps/cm’ [PFA 'CreateInitialTestScenario.zip' to create these ACLs in crx]. And now if we change the ACLs for the same user/group and path to “rep:write,crx:replicate” and install our package, a union of ACLs is seen i.e. “jcr:read,jcr:versionManagement,rep:write,crx:replicate” to forms-users at ‘/content/apps/cm’.
      Please find attached package 'TestACHandling (2).zip' containing the ACLs - “rep:write,crx:replicate” for forms-users group and path ‘/content/apps/cm’

      [0] : https://docs.adobe.com/docs/en/aem/6-0/develop/ref/javadoc/org/apache/jackrabbit/vault/fs/io/AccessControlHandling.html

      Attachments

        1. CreateInitialTestScenario.zip
          6 kB
          Anshika Agarwal
        2. TestACHandling (2).zip
          6 kB
          Anshika Agarwal

        Activity

          the API docs explain it quite nice:

          http://jackrabbit.apache.org/filevault/apidocs/org/apache/jackrabbit/vault/fs/io/AccessControlHandling.html#MERGE

          Content ACL:
               everyone, deny, jcr:all
               bob, allow, jcr:read
               bob, allow, jcr:write
           
          Package ACL:
               bob, deny, jcr:all
               alice, allow, jcr:read
           
          Result ACL:
               everyone, deny, jcr:all
               bob, deny, jcr:all
               alice, allow, jcr:read
          

          so you are saying that if bob has: allow jcr:verisonManagement, it will be added to the other permissions and not replaced? ie:

          Content ACL:
               everyone, deny, jcr:all
               bob, allow, jcr:read
               bob, allow, jcr:write
           
          Package ACL:
               bob, allow, jcr:versionManagement
               alice, allow, jcr:read
           
          Result ACL:
               everyone, deny, jcr:all
               bob, allow, jcr:read
               bob, allow, jcr:write
               bob, allow, jcr:versionManagement
               alice, allow, jcr:read
          

          Can you please provide 2 test packages: 1 for creating the initial test content, and 1 that shows the erratic behavior?

          tripod Tobias Bocanegra added a comment - the API docs explain it quite nice: http://jackrabbit.apache.org/filevault/apidocs/org/apache/jackrabbit/vault/fs/io/AccessControlHandling.html#MERGE Content ACL: everyone, deny, jcr:all bob, allow, jcr:read bob, allow, jcr:write Package ACL: bob, deny, jcr:all alice, allow, jcr:read Result ACL: everyone, deny, jcr:all bob, deny, jcr:all alice, allow, jcr:read so you are saying that if bob has: allow jcr:verisonManagement, it will be added to the other permissions and not replaced? ie: Content ACL: everyone, deny, jcr:all bob, allow, jcr:read bob, allow, jcr:write Package ACL: bob, allow, jcr:versionManagement alice, allow, jcr:read Result ACL: everyone, deny, jcr:all bob, allow, jcr:read bob, allow, jcr:write bob, allow, jcr:versionManagement alice, allow, jcr:read Can you please provide 2 test packages: 1 for creating the initial test content, and 1 that shows the erratic behavior?

          anshika can you also include a package with the initial content?

          tripod Tobias Bocanegra added a comment - anshika can you also include a package with the initial content?

          can reproduce. added test case in r1683152

          tripod Tobias Bocanegra added a comment - can reproduce. added test case in r1683152

          fixed in r1683155

          tripod Tobias Bocanegra added a comment - fixed in r1683155

          People

            tripod Tobias Bocanegra
            anshika Anshika Agarwal
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: