Index: oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositePermissionProvider.java IDEA additional info: Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP <+>UTF-8 =================================================================== --- oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositePermissionProvider.java (revision 1858846) +++ oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositePermissionProvider.java (date 1556629934000) @@ -154,6 +154,9 @@ for (AggregatedPermissionProvider aggregatedPermissionProvider : pps) { PrivilegeBits supported = aggregatedPermissionProvider.supportedPrivileges(tree, privilegeBits); result.add(supported); + if (aggregatedPermissionProvider.abortEvaluation()) { + break; + } } return result; } @@ -181,6 +184,9 @@ for (AggregatedPermissionProvider aggregatedPermissionProvider : pps) { long supportedPermissions = supported.apply(aggregatedPermissionProvider); coveredPermissions |= supportedPermissions; + if (aggregatedPermissionProvider.abortEvaluation()) { + break; + } } return coveredPermissions; } Index: oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositePermissionProviderAnd.java IDEA additional info: Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP <+>UTF-8 =================================================================== --- oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositePermissionProviderAnd.java (revision 1858846) +++ oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositePermissionProviderAnd.java (date 1556617494000) @@ -86,6 +86,9 @@ // with the complete set of supported privileges denied.add(supported.diff(granted)); } + if (aggregatedPermissionProvider.abortEvaluation()) { + break; + } } // subtract all denied privileges from the result if (!denied.isEmpty()) { @@ -118,6 +121,9 @@ } coveredPrivs.add(supported); } + if (aggregatedPermissionProvider.abortEvaluation()) { + break; + } } return hasPrivileges && coveredPrivs.includes(privilegeBits); } @@ -137,6 +143,9 @@ } coveredPermissions |= supportedPermissions; } + if (aggregatedPermissionProvider.abortEvaluation()) { + break; + } } return isGranted && coveredPermissions == permissions; } @@ -163,6 +172,9 @@ } coveredPermissions |= supportedPermissions; } + if (aggregatedPermissionProvider.abortEvaluation()) { + break; + } } return isGranted && coveredPermissions == permissions; } @@ -189,6 +201,9 @@ } coveredPermissions |= supportedPermissions; } + if (aggregatedPermissionProvider.abortEvaluation()) { + break; + } } return isGranted && coveredPermissions == repositoryPermissions; } Index: oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositePermissionProviderOr.java IDEA additional info: Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP <+>UTF-8 =================================================================== --- oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositePermissionProviderOr.java (revision 1858846) +++ oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositePermissionProviderOr.java (date 1557229948000) @@ -83,6 +83,9 @@ result.add(granted); } } + if (aggregatedPermissionProvider.abortEvaluation()) { + break; + } } return getBitsProvider().getPrivilegeNames(result); } @@ -114,6 +117,9 @@ } } } + if (aggregatedPermissionProvider.abortEvaluation()) { + break; + } } return hasPrivileges && coveredPrivs.includes(privilegeBits); } @@ -134,6 +140,9 @@ } } } + if (aggregatedPermissionProvider.abortEvaluation()) { + break; + } } return isGranted && coveredPermissions == permissions; } @@ -161,6 +170,9 @@ } } } + if (aggregatedPermissionProvider.abortEvaluation()) { + break; + } } return isGranted && coveredPermissions == permissions; } @@ -188,6 +200,9 @@ } } } + if (aggregatedPermissionProvider.abortEvaluation()) { + break; + } } return isGranted && coveredPermissions == repositoryPermissions; } Index: oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeTreePermission.java IDEA additional info: Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP <+>UTF-8 =================================================================== --- oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeTreePermission.java (revision 1858846) +++ oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeTreePermission.java (date 1556629149000) @@ -229,6 +229,10 @@ return parent.typeProvider.getType(tree, parent.type); } + private static boolean doAbort(AggregatedPermissionProvider provider) { + return provider.abortEvaluation(); + } + //---< OR >----------------------------------------------------------------- private static final class CompositeTreePermissionOr extends CompositeTreePermission { @@ -247,10 +251,11 @@ boolean grantsPermission(long permissions, @Nullable PropertyState property) { boolean isGranted = false; long coveredPermissions = Permissions.NO_PERMISSION; - - for (int i = 0; i < length(); i++) { + boolean abortEvaluation = false; + for (int i = 0; i < length() && !abortEvaluation; i++) { TreePermission tp = treePermission(i); - long supported = provider(i).supportedPermissions(tp, property, permissions); + AggregatedPermissionProvider provider = provider(i); + long supported = provider.supportedPermissions(tp, property, permissions); if (doEvaluate(supported)) { for (long p : Permissions.aggregates(supported)) { boolean aGrant = (property == null) ? tp.isGranted(p) : tp.isGranted(p, property); @@ -260,6 +265,7 @@ } } } + abortEvaluation = CompositeTreePermission.doAbort(provider); } return isGranted && coveredPermissions == permissions; } @@ -270,15 +276,18 @@ return true; } boolean readable = false; - for (int i = 0; i < length(); i++) { + boolean abortEvaluation = false; + for (int i = 0; i < length() && !abortEvaluation; i++) { TreePermission tp = treePermission(i); - long supported = provider(i).supportedPermissions(tp, property, (property == null) ? Permissions.READ_NODE : Permissions.READ_PROPERTY); + AggregatedPermissionProvider provider = provider(i); + long supported = provider.supportedPermissions(tp, property, (property == null) ? Permissions.READ_NODE : Permissions.READ_PROPERTY); if (doEvaluate(supported)) { readable = (property == null) ? tp.canRead() : tp.canRead(property); if (readable) { return true; } } + abortEvaluation = CompositeTreePermission.doAbort(provider); } return readable; } @@ -286,15 +295,18 @@ @Override boolean grantsReadProperties() { boolean readable = false; - for (int i = 0; i < length(); i++) { + boolean abortEvaluation = false; + for (int i = 0; i < length() && !abortEvaluation; i++) { TreePermission tp = treePermission(i); - long supported = provider(i).supportedPermissions(tp, null, Permissions.READ_PROPERTY); + AggregatedPermissionProvider provider = provider(i); + long supported = provider.supportedPermissions(tp, null, Permissions.READ_PROPERTY); if (doEvaluate(supported)) { readable = tp.canReadProperties(); if (readable) { break; } } + abortEvaluation = CompositeTreePermission.doAbort(provider); } return readable; } @@ -319,10 +331,11 @@ boolean grantsPermission(long permissions, @Nullable PropertyState property) { boolean isGranted = false; long coveredPermissions = Permissions.NO_PERMISSION; - - for (int i = 0; i < length(); i++) { + boolean abortEvaluation = false; + for (int i = 0; i < length() && !abortEvaluation; i++) { TreePermission tp = treePermission(i); - long supported = provider(i).supportedPermissions(tp, property, permissions); + AggregatedPermissionProvider provider = provider(i); + long supported = provider.supportedPermissions(tp, property, permissions); if (doEvaluate(supported)) { isGranted = (property == null) ? tp.isGranted(supported) : tp.isGranted(supported, property); if (!isGranted) { @@ -330,6 +343,7 @@ } coveredPermissions |= supported; } + abortEvaluation = CompositeTreePermission.doAbort(provider); } return isGranted && coveredPermissions == permissions; } @@ -339,30 +353,36 @@ return true; } boolean readable = false; - for (int i = 0; i < length(); i++) { + boolean abortEvaluation = false; + for (int i = 0; i < length() && !abortEvaluation; i++) { TreePermission tp = treePermission(i); - long supported = provider(i).supportedPermissions(tp, property, (property == null) ? Permissions.READ_NODE : Permissions.READ_PROPERTY); + AggregatedPermissionProvider provider = provider(i); + long supported = provider.supportedPermissions(tp, property, (property == null) ? Permissions.READ_NODE : Permissions.READ_PROPERTY); if (doEvaluate(supported)) { readable = (property == null) ? tp.canRead() : tp.canRead(property); if (!readable) { return false; } } + abortEvaluation = doAbort(provider); } return readable; } boolean grantsReadProperties() { boolean readable = false; - for (int i = 0; i < length(); i++) { + boolean abortEvaluation = false; + for (int i = 0; i < length() && !abortEvaluation; i++) { TreePermission tp = treePermission(i); - long supported = provider(i).supportedPermissions(tp, null, Permissions.READ_PROPERTY); + AggregatedPermissionProvider provider = provider(i); + long supported = provider.supportedPermissions(tp, null, Permissions.READ_PROPERTY); if (doEvaluate(supported)) { readable = tp.canReadProperties(); if (!readable) { break; } } + abortEvaluation = doAbort(provider); } return readable; } Index: oak-security-spi/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/permission/AggregatedPermissionProvider.java IDEA additional info: Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP <+>UTF-8 =================================================================== --- oak-security-spi/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/permission/AggregatedPermissionProvider.java (revision 1858846) +++ oak-security-spi/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/permission/AggregatedPermissionProvider.java (date 1556028054000) @@ -136,4 +136,7 @@ @NotNull TreePermission getTreePermission(@NotNull Tree tree, @NotNull TreeType type, @NotNull TreePermission parentPermission); + default boolean abortEvaluation() { + return false; + } } Index: oak-security-spi/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/permission/package-info.java IDEA additional info: Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP <+>UTF-8 =================================================================== --- oak-security-spi/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/permission/package-info.java (revision 1858846) +++ oak-security-spi/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/permission/package-info.java (date 1556889046000) @@ -14,7 +14,7 @@ * See the License for the specific language governing permissions and * limitations under the License. */ -@Version("4.1.0") +@Version("4.2.0") package org.apache.jackrabbit.oak.spi.security.authorization.permission; import org.osgi.annotation.versioning.Version;