Uploaded image for project: 'Sling'
  1. Sling
  2. SLING-12298

Repoinit Script Not Respecting the Order of ACLs in set ACL

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Open
    • Major
    • Resolution: Unresolved
    • Repoinit Parser 1.6.14, Repoinit JCR 1.1.38
    • None
    • Repoinit
    • None

    Description

      In short, the Repoinit parser doesn't appear to respect the order of deny-allow in the set ACL commands.

       

      I had a script like so:

       

      // code placeholder
{
    "scripts": [
        "create group test-fragments-editors with path /home/groups/forms",
        "set ACL on /content/dam/formsanddocuments/<project>\n   remove * for forms-users\n  deny jcr:all for forms-users restriction(rep:glob,/<fragments_root>)\n    allow jcr:read,crx:replicate for forms-users restriction(rep:glob,/<fragments_root>)\n    allow jcr:all for test-fragments-editors restriction(rep:glob,/<fragments_root>)\nend",
        "set ACL on /content/forms/af/<project>\n   remove * for forms-users\n  deny jcr:all for forms-users restriction(rep:glob,/<fragments_root>)\n    allow jcr:read,crx:replicate for forms-users restriction(rep:glob,/<fragments_root>)\n    allow jcr:all restriction(rep:glob,/<fragments_root>)for test-fragments-editors\nend""
    ]
}

       

      I would expect the resulting nodes would match the order defined in the script, like so:

      // expected node output under /content/dam|forms/formsanddocuments|af/<project>
-rep:policy
- deny (forms-useers)
- allow1 (forms-users)
- allow2 (test-fragments-editors)

       

      But instead it was:

       

      // example node output under /content/dam|forms/formsanddocuments|af/<project>
-rep:policy
    - allow (test-fragments-editors)
    - deny1 (forms-users)
    - allow2 (forms-users)

       

      Which resulted in a user who is a member of both groups being assigned the more restrictive permissions. For it to work, I had to put each deny-allow in a separate set ACL line like so:

      // code placeholder
{
    "scripts": [
        "create group test-fragments-editors with path /home/groups/forms",
        "set ACL on /content/dam/formsanddocuments/<project>\n   remove * for forms-users\nend",
        "set ACL on /content/dam/formsanddocuments/<project>\n   deny jcr:all for forms-users restriction(rep:glob,/<fragments_root>)\nend",
        "set ACL on /content/dam/formsanddocuments/<project>\n    allow jcr:read,crx:replicate for forms-users restriction(rep:glob,/<fragments_root>)\nend",
        "set ACL on /content/dam/formsanddocuments/<project>\n   allow jcr:all for test-fragments-editors restriction(rep:glob,/<fragments_root>)\nend",
        ...
    ]
}

       

       

      Attachments

        Activity

          People

            Unassigned Unassigned
            scurtis Sean Curtis
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated: