Skip to content

Do not pre-validate restrictions #855

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: develop
Choose a base branch
from
Open

Do not pre-validate restrictions #855

wants to merge 2 commits into from

Conversation

kwin
Copy link
Member

@kwin kwin commented Oct 2, 2025

Oak takes care of that in
https://github.com/apache/jackrabbit-oak/blob/17281282fe82d0f0c4e86d0a42ecfb20bfe404e3/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ACL.java#L213 as soon as you try to apply those.
Otherwise you face exceptions when using restrictions only available at run-time in cloud (but not at build time).

This closes #854

@kwin kwin requested a review from ghenzler October 2, 2025 13:16
@kwin kwin force-pushed the bugfix/do-not-validate-restrictions branch from 0fc1f3b to a29cb18 Compare October 2, 2025 13:18
@ggruianc
Copy link

ggruianc commented Oct 2, 2025
edited
Loading

@kwin there is another restrictions pre-validation in

accesscontroltool/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/validators/impl/AceBeanValidatorImpl.java

Lines 134 to 144 in 8fdc6ba

final Set<String> allowedRestrictionNames = getSupportedRestrictions(aclManager);
if (!allowedRestrictionNames.containsAll(restrictionNamesFromAceBean)) {
restrictionNamesFromAceBean.removeAll(allowedRestrictionNames);
valid = false;
final String errorMessage = getBeanDescription(this.currentBeanCounter,
tmpAceBean.getAuthorizableId())
+ ", this repository doesn't support following restriction(s): "
+ restrictionNamesFromAceBean;
throw new InvalidRestrictionsException(errorMessage);
}

@kwin kwin force-pushed the bugfix/do-not-validate-restrictions branch from a29cb18 to 1c4b417 Compare October 2, 2025 15:52
@kwin
Copy link
Member Author

kwin commented Oct 2, 2025

@kwin there is another restrictions pre-validation in

Thanks, that validation should be removed now in 1c4b417

@kwin kwin requested a review from jochenkoschorke October 2, 2025 15:58
kwin added 2 commits October 2, 2025 18:17
@kwin
Do not pre-validate restrictions
6633128 
Oak takes care of that in
https://github.com/apache/jackrabbit-oak/blob/17281282fe82d0f0c4e86d0a42ecfb20bfe404e3/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ACL.java#L213
as soon as you try to apply those.
Otherwise you face exceptions when using restrictions only available at
run-time in cloud (but not at build time).

This closes #854
@kwin
Remove test for additional validation of restrictions
d6dfc43
@kwin kwin force-pushed the bugfix/do-not-validate-restrictions branch from 4662ece to d6dfc43 Compare October 2, 2025 16:18
@sonarqubecloud SonarQubeCloud
Copy link

sonarqubecloud bot commented Oct 2, 2025

Quality Gate Failed Quality Gate failed

Failed conditions
0.0% Coverage on New Code (required ≥ 31%)

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ghenzler ghenzler Awaiting requested review from ghenzler

@jochenkoschorke jochenkoschorke Awaiting requested review from jochenkoschorke

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Metadata-driven permissions - Restrictions support
2 participants
@kwin @ggruianc