AEM: ACL Bug with Restrictions (rep:glob) with Oak

in aem •  8 years ago  (edited)

We have been applying Restrictions by pattern using rep:glob (as mentioned in the rules) however there are few rules which doesn't work as expected i.e. 

allow, principal, jcr:read, rep:glob='' - Matches the current folder only

deny, principal, jcr:read, rep:glob='/*'- Matches all the child folders

We apply these rules especially when we want to break the  auto-inheritance i.e. give permission only to the current folder and not  to any children. So the hack to this is to explicitly grant access to the child properties (especially jcr:primaryType) i.e. 

allow, principal, rep:readProperties, rep:glob='/jcr:primaryType'

The underlying problem was OAK-2441,  which resulted in a different behavior of rep:glob="" being sufficient  to read the node in the UI even if the underlying tree object was  actually accessible.

aem acl restrictions repglob technology
8 years ago by

Downvoting a post can decrease pending rewards and make it less visible. Common reasons:

  • Disagreement on rewards
  • Fraud or plagiarism
  • Hate speech or trolling
  • Miscategorized content or spam

Submit
$0.00
    48 votes
    1
    Authors get paid when people like you upvote their post.
    If you enjoyed what you read here, create your account today and start earning FREE STEEM!
    Sort Order:  
  • Trending
    • [-]
      ·  8 years ago 

    Thanks for the share @chetanyajain.
    Have you used the other new restrictions introduced with Jackrabbit 2.x - rep:prefixes and rep:itemNames ?

    Downvoting a post can decrease pending rewards and make it less visible. Common reasons:

    • Disagreement on rewards
    • Fraud or plagiarism
    • Hate speech or trolling
    • Miscategorized content or spam

    Submit
    $0.00
      1 vote