[SLING-8604] AclUtil.setAcl: invalid assumptions regarding principal lookup - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: Repoinit JCR 1.1.14
Component/s: Repoinit
Labels:
None

Description

IMHO, AclUtil.setAcl makes the following invalid assumptions about principals:

every principal is backed by a user/group defined by jackrabbit user management (which already is not necessarily true for the everyone group, which was probably the reason for the extra if for everyone)
for those cases where a given principal is in fact associated with an known user/group, the implementation assumes that the principal name is identical to the ID

for the former it is sufficient to look at the everyone principal or at the synchronization mechanism in oak-auth-external, which defines an additional PrincipalProvider that does not require principals to be reflected as users/goups and for which setting up access control content is equally valid (see also oak-exercise module for a simplistic, custom principal provider to play around with).

the latter can easily be illustrated by creating a user/group account with a different principal name by calling UserManager.createUser(String, String, Principal, String) or UserManager.createGroup(String, Principal, String.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

SLING-8604.patch
31/Jul/19 12:39
9 kB
Angela Schreiber

Issue Links

is required by

SLING-8605 AclUtil.createLocalRestrictions should use JackrabbitAccessControlList.isMultiValueRestriction(String)

Closed

relates to

SLING-8602 Add support for PrincipalAccessControlList and ac-management by principal

Closed

Activity

People

Assignee:: Robert Munteanu

Reporter:: Angela Schreiber

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 31/Jul/19 09:56

Updated:: 30/Sep/19 16:48

Resolved:: 17/Sep/19 12:43