1 Reply Latest reply on Dec 3, 2014 8:35 AM by hchiorean

    Handling of ACL's with the "admin" role in repository

    vitbit1978
    vitbit1978 Dec 3, 2014 8:24 AM

      Dear Modeshape community,

       

      we figured out the strange Modeshape behaviour regarding the ACL checking for "admin" role. Here our use-case:

       

      1. User with admin role sets ACL's to a node

       

      2. The ACL contains read-permission for "User 1" and "User 2"

       

      3. The code to set the ACL looks like that:

      Credentials credentials = new SimpleCredentials("admin", "password".toCharArray());
// Create a session to the repository default
session = repository.login(credentials, "default");
//Get node by ID
repoSession.getNodeByIdentifier("a05563e9-05e9-47d4-b031-c04ddeb8fb12");
//Get Access control manager
AccessControlManager acm = session.getAccessControlManager();
//Get ACL for the node
AccessControlList acl = null;
AccessControlPolicyIterator it = acm.getApplicablePolicies(node.getPath());
if (it.hasNext()) {
     acl = (AccessControlList)it.nextAccessControlPolicy();
} else {
     acl = (AccessControlList)acm.getPolicies(node.getPath())[0];
}
//Set acl for User 1
acl.addAccessControlEntry(new RepositoryPrincipal("user1"), new Privilege[]{Privilege.JCR_READ});
//Set acl for User 2
acl.addAccessControlEntry(new RepositoryPrincipal("user2"), new Privilege[]{Privilege.JCR_READ});
//Set the policy for path
cm.setPolicy(node.getPath(), acl);
//Save the session
ession.save();

       

      4. After execution of this code, the "user1" and "user2" are able to access read-only the node, but the "admin" user do not!

       

      Does it means for us, every time if we set ACL's we need to add Privlige.JCR_ALL permission for the "admin" user? Or may be Modeshape provides a "System" - account, that allows dealing with all nodes in Repository?

       

      Thanks in advance!

      Best regards

      Vitali

      • 192 Views
      • Categories: ModeShape 4.0
      • Tags:
        • 1. Re: Handling of ACL's with the "admin" role in repository
          hchiorean
          hchiorean Dec 3, 2014 8:35 AM (in response to vitbit1978)

          This behavior is standard afaik (i.e. complies with the JSR 283 spec): when you're dealing with ACLs, initially there is no policy in effect for a node. Once you create/add entries to the policy that will be take effect based on *only* the entries from that policy and nothing else. There are no "magic defaults". So you need to make sure in your code, when you're changing ACLs that you're preserving whatever sensible defaults your application needs.

          1 of 1 people found this helpful
            • Actions