Index: oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositePermissionProvider.java IDEA additional info: Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP <+>UTF-8 =================================================================== --- oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositePermissionProvider.java (revision 1858901) +++ oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositePermissionProvider.java (date 1557309195000) @@ -154,6 +154,9 @@ for (AggregatedPermissionProvider aggregatedPermissionProvider : pps) { PrivilegeBits supported = aggregatedPermissionProvider.supportedPrivileges(tree, privilegeBits); result.add(supported); + if (Util.doEvaluate(supported) && aggregatedPermissionProvider.abortEvaluation()) { + break; + } } return result; } @@ -181,6 +184,9 @@ for (AggregatedPermissionProvider aggregatedPermissionProvider : pps) { long supportedPermissions = supported.apply(aggregatedPermissionProvider); coveredPermissions |= supportedPermissions; + if (Util.doEvaluate(supportedPermissions) && aggregatedPermissionProvider.abortEvaluation()) { + break; + } } return coveredPermissions; } Index: oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositePermissionProviderAnd.java IDEA additional info: Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP <+>UTF-8 =================================================================== --- oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositePermissionProviderAnd.java (revision 1858901) +++ oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositePermissionProviderAnd.java (date 1557305875000) @@ -85,6 +85,10 @@ // update the set of denied privs by comparing the granted privs // with the complete set of supported privileges denied.add(supported.diff(granted)); + + if (aggregatedPermissionProvider.abortEvaluation()) { + break; + } } } // subtract all denied privileges from the result @@ -117,6 +121,10 @@ return false; } coveredPrivs.add(supported); + + if (aggregatedPermissionProvider.abortEvaluation()) { + break; + } } } return hasPrivileges && coveredPrivs.includes(privilegeBits); @@ -136,6 +144,10 @@ return false; } coveredPermissions |= supportedPermissions; + + if (aggregatedPermissionProvider.abortEvaluation()) { + break; + } } } return isGranted && coveredPermissions == permissions; @@ -162,6 +174,10 @@ return false; } coveredPermissions |= supportedPermissions; + + if (aggregatedPermissionProvider.abortEvaluation()) { + break; + } } } return isGranted && coveredPermissions == permissions; @@ -188,6 +204,10 @@ return false; } coveredPermissions |= supportedPermissions; + + if (aggregatedPermissionProvider.abortEvaluation()) { + break; + } } } return isGranted && coveredPermissions == repositoryPermissions; Index: oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositePermissionProviderOr.java IDEA additional info: Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP <+>UTF-8 =================================================================== --- oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositePermissionProviderOr.java (revision 1858901) +++ oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositePermissionProviderOr.java (date 1557306103000) @@ -82,6 +82,9 @@ if (!granted.isEmpty()) { result.add(granted); } + if (aggregatedPermissionProvider.abortEvaluation()) { + break; + } } } return getBitsProvider().getPrivilegeNames(result); @@ -113,6 +116,9 @@ hasPrivileges = true; } } + if (aggregatedPermissionProvider.abortEvaluation()) { + break; + } } } return hasPrivileges && coveredPrivs.includes(privilegeBits); @@ -133,6 +139,9 @@ isGranted = true; } } + if (aggregatedPermissionProvider.abortEvaluation()) { + break; + } } } return isGranted && coveredPermissions == permissions; @@ -160,6 +169,9 @@ isGranted = true; } } + if (aggregatedPermissionProvider.abortEvaluation()) { + break; + } } } return isGranted && coveredPermissions == permissions; @@ -187,6 +199,9 @@ isGranted = true; } } + if (aggregatedPermissionProvider.abortEvaluation()) { + break; + } } } return isGranted && coveredPermissions == repositoryPermissions; Index: oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeTreePermission.java IDEA additional info: Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP <+>UTF-8 =================================================================== --- oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeTreePermission.java (revision 1858901) +++ oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeTreePermission.java (date 1557315895000) @@ -229,6 +229,10 @@ return parent.typeProvider.getType(tree, parent.type); } + private static boolean doAbort(AggregatedPermissionProvider provider) { + return provider.abortEvaluation(); + } + //---< OR >----------------------------------------------------------------- private static final class CompositeTreePermissionOr extends CompositeTreePermission { @@ -247,10 +251,11 @@ boolean grantsPermission(long permissions, @Nullable PropertyState property) { boolean isGranted = false; long coveredPermissions = Permissions.NO_PERMISSION; - - for (int i = 0; i < length(); i++) { + boolean abortEvaluation = false; + for (int i = 0; i < length() && !abortEvaluation; i++) { TreePermission tp = treePermission(i); - long supported = provider(i).supportedPermissions(tp, property, permissions); + AggregatedPermissionProvider provider = provider(i); + long supported = provider.supportedPermissions(tp, property, permissions); if (doEvaluate(supported)) { for (long p : Permissions.aggregates(supported)) { boolean aGrant = (property == null) ? tp.isGranted(p) : tp.isGranted(p, property); @@ -259,6 +264,7 @@ isGranted = true; } } + abortEvaluation = doAbort(provider); } } return isGranted && coveredPermissions == permissions; @@ -270,14 +276,17 @@ return true; } boolean readable = false; - for (int i = 0; i < length(); i++) { + boolean abortEvaluation = false; + for (int i = 0; i < length() && !abortEvaluation; i++) { TreePermission tp = treePermission(i); - long supported = provider(i).supportedPermissions(tp, property, (property == null) ? Permissions.READ_NODE : Permissions.READ_PROPERTY); + AggregatedPermissionProvider provider = provider(i); + long supported = provider.supportedPermissions(tp, property, (property == null) ? Permissions.READ_NODE : Permissions.READ_PROPERTY); if (doEvaluate(supported)) { readable = (property == null) ? tp.canRead() : tp.canRead(property); if (readable) { return true; } + abortEvaluation = doAbort(provider); } } return readable; @@ -286,14 +295,14 @@ @Override boolean grantsReadProperties() { boolean readable = false; - for (int i = 0; i < length(); i++) { + boolean abortEvaluation = false; + for (int i = 0; i < length() && !abortEvaluation; i++) { TreePermission tp = treePermission(i); - long supported = provider(i).supportedPermissions(tp, null, Permissions.READ_PROPERTY); + AggregatedPermissionProvider provider = provider(i); + long supported = provider.supportedPermissions(tp, null, Permissions.READ_PROPERTY); if (doEvaluate(supported)) { readable = tp.canReadProperties(); - if (readable) { - break; - } + abortEvaluation = readable || doAbort(provider); } } return readable; @@ -319,16 +328,18 @@ boolean grantsPermission(long permissions, @Nullable PropertyState property) { boolean isGranted = false; long coveredPermissions = Permissions.NO_PERMISSION; - - for (int i = 0; i < length(); i++) { + boolean abortEvaluation = false; + for (int i = 0; i < length() && !abortEvaluation; i++) { TreePermission tp = treePermission(i); - long supported = provider(i).supportedPermissions(tp, property, permissions); + AggregatedPermissionProvider provider = provider(i); + long supported = provider.supportedPermissions(tp, property, permissions); if (doEvaluate(supported)) { isGranted = (property == null) ? tp.isGranted(supported) : tp.isGranted(supported, property); if (!isGranted) { return false; } coveredPermissions |= supported; + abortEvaluation = doAbort(provider); } } return isGranted && coveredPermissions == permissions; @@ -339,14 +350,17 @@ return true; } boolean readable = false; - for (int i = 0; i < length(); i++) { + boolean abortEvaluation = false; + for (int i = 0; i < length() && !abortEvaluation; i++) { TreePermission tp = treePermission(i); - long supported = provider(i).supportedPermissions(tp, property, (property == null) ? Permissions.READ_NODE : Permissions.READ_PROPERTY); + AggregatedPermissionProvider provider = provider(i); + long supported = provider.supportedPermissions(tp, property, (property == null) ? Permissions.READ_NODE : Permissions.READ_PROPERTY); if (doEvaluate(supported)) { readable = (property == null) ? tp.canRead() : tp.canRead(property); if (!readable) { return false; } + abortEvaluation = doAbort(provider); } } return readable; @@ -354,14 +368,14 @@ boolean grantsReadProperties() { boolean readable = false; - for (int i = 0; i < length(); i++) { + boolean abortEvaluation = false; + for (int i = 0; i < length() && !abortEvaluation; i++) { TreePermission tp = treePermission(i); - long supported = provider(i).supportedPermissions(tp, null, Permissions.READ_PROPERTY); + AggregatedPermissionProvider provider = provider(i); + long supported = provider.supportedPermissions(tp, null, Permissions.READ_PROPERTY); if (doEvaluate(supported)) { readable = tp.canReadProperties(); - if (!readable) { - break; - } + abortEvaluation = !readable || doAbort(provider); } } return readable; Index: oak-security-spi/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/permission/AggregatedPermissionProvider.java IDEA additional info: Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP <+>UTF-8 =================================================================== --- oak-security-spi/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/permission/AggregatedPermissionProvider.java (revision 1858901) +++ oak-security-spi/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/permission/AggregatedPermissionProvider.java (date 1556028054000) @@ -136,4 +136,7 @@ @NotNull TreePermission getTreePermission(@NotNull Tree tree, @NotNull TreeType type, @NotNull TreePermission parentPermission); + default boolean abortEvaluation() { + return false; + } } Index: oak-security-spi/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/permission/package-info.java IDEA additional info: Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP <+>UTF-8 =================================================================== --- oak-security-spi/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/permission/package-info.java (revision 1858901) +++ oak-security-spi/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/permission/package-info.java (date 1556889046000) @@ -14,7 +14,7 @@ * See the License for the specific language governing permissions and * limitations under the License. */ -@Version("4.1.0") +@Version("4.2.0") package org.apache.jackrabbit.oak.spi.security.authorization.permission; import org.osgi.annotation.versioning.Version;