}
public void testCombinedPolicies() throws RepositoryException, NotExecutableException {
Group testGroup = getTestGroup();
SessionImpl testSession = getTestSession();
AccessControlManager testAcMgr = getTestACManager();
/*
precondition:
testuser must have READ-only permission on test-node and below
*/
checkReadOnly(path);
Privilege[] readPrivs = privilegesFromName(Privilege.JCR_READ);
// nodebased: remove READ privilege for 'testUser' at 'path'
withdrawPrivileges(path, readPrivs, getRestrictions(superuser, path));
// principalbased: add READ privilege for 'testGroup'
givePrivileges(path, testGroup.getPrincipal(), readPrivs, getPrincipalBasedRestrictions(path), false);
/*
expected result:
- nodebased wins over principalbased -> READ is denied
*/
assertFalse(testSession.itemExists(path));
assertFalse(testSession.hasPermission(path, org.apache.jackrabbit.api.jsr283.Session.ACTION_READ));
assertFalse(testAcMgr.hasPrivileges(path, readPrivs));
// remove the nodebased policy
JackrabbitAccessControlList policy = getPolicy(acMgr, path, getTestUser().getPrincipal());
acMgr.removePolicy(policy.getPath(), policy);
superuser.save();
/*
expected result:
- READ privilege is present again.
*/
assertTrue(testSession.itemExists(path));
assertTrue(testSession.hasPermission(path, org.apache.jackrabbit.api.jsr283.Session.ACTION_READ));
assertTrue(testAcMgr.hasPrivileges(path, readPrivs));
// nodebased: add WRITE privilege for 'testUser' at 'path'
Privilege[] wrtPrivileges = privilegesFromName(PrivilegeRegistry.REP_WRITE);
givePrivileges(path, wrtPrivileges, getRestrictions(superuser, path));
// userbased: deny MODIFY_PROPERTIES privileges for 'testUser'
Privilege[] modPropPrivs = privilegesFromName(Privilege.JCR_MODIFY_PROPERTIES);
withdrawPrivileges(path, getTestUser().getPrincipal(), modPropPrivs, getPrincipalBasedRestrictions(path), false);
/*
expected result:
- MODIFY_PROPERTIES privilege still present
*/
assertTrue(testSession.hasPermission(path+"/anyproperty", org.apache.jackrabbit.api.jsr283.Session.ACTION_SET_PROPERTY));
assertTrue(testAcMgr.hasPrivileges(path, wrtPrivileges));
// nodebased: deny MODIFY_PROPERTIES privileges for 'testUser'
// on a child node.
withdrawPrivileges(childNPath, getTestUser().getPrincipal(), modPropPrivs, getRestrictions(superuser, childNPath));
/*
expected result:
- MODIFY_PROPERTIES privilege still present at 'path'
- no-MODIFY_PROPERTIES privilege at 'childNPath'
*/
assertTrue(testSession.hasPermission(path+"/anyproperty", org.apache.jackrabbit.api.jsr283.Session.ACTION_SET_PROPERTY));
assertTrue(testAcMgr.hasPrivileges(path, modPropPrivs));
assertFalse(testSession.hasPermission(childNPath+"/anyproperty", org.apache.jackrabbit.api.jsr283.Session.ACTION_SET_PROPERTY));
assertFalse(testAcMgr.hasPrivileges(childNPath, modPropPrivs));
}