Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
Repoinit JCR 1.1.44
-
None
Description
When applying ACLs, repoinit checks if the referenced authorizable exists, and it fails if it doesn't.
However, my goal was to set up ACLs with my deployment for a group that was to be sync'ed from an ExternalIdentityProvider once the first member of that group logs in.
To work around this limitation, I tried running the following repoinit script:
create group testGroup set ACL for testGroup allow jcr:read on /content/foo deny jcr:write on /content/foo end delete group testGroup
It turned out that the statements were executed in the following order:
create group testGroup delete group testGroup set ACL for testGroup allow jcr:read on /content/foo deny jcr:write on /content/foo end
Of course that caused the script to fail just as if no group was created.
The incorrect ordering may also cause other scenarios to fail.
The ExecutionOrderTest suggests that some re-ordering is done on purpose. E.g. namespaces and nodetypes should be created before e.g. paths are created.
I would expect that registration of custom privileges should also be executed before other operations. I don't see how that could be harmful.
But for all other statements, I would expect the execution order to match the order of the statements within the repoinit script.
cc bdelacretaz, cziegeler, angela
Attachments
Issue Links
- is related to
-
SLING-12329 Backwards compatibility for legacy repoinit statement reordering
-
- Closed
-
- links to