AEM: ACL Bug with Restrictions (rep:glob) with Oak

in #aem8 years ago (edited)

We have been applying Restrictions by pattern using rep:glob (as mentioned in the rules) however there are few rules which doesn't work as expected i.e. 

allow, principal, jcr:read, rep:glob='' - Matches the current folder only
deny, principal, jcr:read, rep:glob='/*'- Matches all the child folders

We apply these rules especially when we want to break the  auto-inheritance i.e. give permission only to the current folder and not  to any children. So the hack to this is to explicitly grant access to the child properties (especially jcr:primaryType) i.e. 

allow, principal, rep:readProperties, rep:glob='/jcr:primaryType'

The underlying problem was OAK-2441,  which resulted in a different behavior of rep:glob="" being sufficient  to read the node in the UI even if the underlying tree object was  actually accessible.

Sort:  

Thanks for the share @chetanyajain.
Have you used the other new restrictions introduced with Jackrabbit 2.x - rep:prefixes and rep:itemNames ?

Coin Marketplace

STEEM 0.15
TRX 0.24
JST 0.033
BTC 91880.20
ETH 2498.95
USDT 1.00
SBD 0.68