Details
-
New Feature
-
Status: Open
-
Major
-
Resolution: Unresolved
-
None
-
None
-
None
Description
Today it is not possible to plug a custom RestrictionProvider with restrictions (or restriction-patterns for that matter) that would allow to evaluate against the effective set of principals for which permission evaluation is executed.
Reason: In contrast to AuthorizationConfiguration.getPermissionProvider()AuthorizationConfiguration.getRestrictionProvider() does not get the set of effective principals passed.
What is possible today is something like e.g.
allow everyone jcr:read on /content with restriction jcr:title = "abc"
What is not feasible today is something like
allow everyone jcr:read on /content with restriction ownerPropery = currentPrincipal()
as the restriction evaluation today is agnostic of the principals for which the restrictions are being evaluated.
This improvement aims for investigating what it would take to make the set of principals available with the PermissionProvider available to the RestrictionProvider during evaluation.