1 Reply Latest reply on Dec 3, 2014 8:35 AM by Horia Chiorean

    Handling of ACL's with the "admin" role in repository

    Vitali Belenki Newbie

      Dear Modeshape community,

       

      we figured out the strange Modeshape behaviour regarding the ACL checking for "admin" role. Here our use-case:

       

      1. User with admin role sets ACL's to a node

       

      2. The ACL contains read-permission for "User 1" and "User 2"

       

      3. The code to set the ACL looks like that:

      Credentials credentials = new SimpleCredentials("admin", "password".toCharArray());
      // Create a session to the repository default
      session = repository.login(credentials, "default");
      //Get node by ID
      repoSession.getNodeByIdentifier("a05563e9-05e9-47d4-b031-c04ddeb8fb12");
      //Get Access control manager
      AccessControlManager acm = session.getAccessControlManager();
      //Get ACL for the node
      AccessControlList acl = null;
      AccessControlPolicyIterator it = acm.getApplicablePolicies(node.getPath());
      if (it.hasNext()) {
           acl = (AccessControlList)it.nextAccessControlPolicy();
      } else {
           acl = (AccessControlList)acm.getPolicies(node.getPath())[0];
      }
      //Set acl for User 1
      acl.addAccessControlEntry(new RepositoryPrincipal("user1"), new Privilege[]{Privilege.JCR_READ});
      //Set acl for User 2
      acl.addAccessControlEntry(new RepositoryPrincipal("user2"), new Privilege[]{Privilege.JCR_READ});
      //Set the policy for path
      cm.setPolicy(node.getPath(), acl);
      //Save the session
      ession.save();
      
      

       

      4. After execution of this code, the "user1" and "user2" are able to access read-only the node, but the "admin" user do not!

       

      Does it means for us, every time if we set ACL's we need to add Privlige.JCR_ALL permission for the "admin" user? Or may be Modeshape provides a "System" - account, that allows dealing with all nodes in Repository?

       

      Thanks in advance!

      Best regards

      Vitali

        • 1. Re: Handling of ACL's with the "admin" role in repository
          Horia Chiorean Master

          This behavior is standard afaik (i.e. complies with the JSR 283 spec): when you're dealing with ACLs, initially there is no policy in effect for a node. Once you create/add entries to the policy that will be take effect based on *only* the entries from that policy and nothing else. There are no "magic defaults". So you need to make sure in your code, when you're changing ACLs that you're preserving whatever sensible defaults your application needs.

          1 of 1 people found this helpful