Adobe Experience Manager Sites & More

88858280 · 10/15/15

I am able to get a list of nodes using my query but want to get a list of nodes using certain permissions for e.g. list of nodes having read only permissions

Is it possible to restrict the nodes using ACL permissions.

Any query example to accomplish this would be great.

Jörg_Hoh · 10/15/15

I guess, that's not possible via JCR Query; mostly because the access control system used by Jackrabbit (by default) and AEM relies on inheritance. So the permissions a user has on a certain node is not expressed as a node or properties, but is computed out of inherited ACEs and ACEs directly attached to the node, from both groups (recursivly) and the user itself.

So, you probably need to filter your query result via session.hasPermission().

kind regards,
Jörg

View solution in original post

Jörg_Hoh · 10/15/15

I guess, that's not possible via JCR Query; mostly because the access control system used by Jackrabbit (by default) and AEM relies on inheritance. So the permissions a user has on a certain node is not expressed as a node or properties, but is computed out of inherited ACEs and ACEs directly attached to the node, from both groups (recursivly) and the user itself.

So, you probably need to filter your query result via session.hasPermission().

kind regards,
Jörg

Mshaji · 10/15/15

You can try this link

http://sling.apache.org/site/managing-users-and-groups-jackrabbitusermanager.html

As per the documentation from Yogesh, we should be able to get the info about a particular not as

http://www.wemblog.com/2012/03/how-to-do-user-management-using-post.html
Read Permission:

$ curl -u admin:admin -F:applyTo=myuser http://localhost:4502/<Path>.acl.json

OR

$ curl -u admin:admin -F:applyTo=myuser http://localhost:4502/<Path>.eacl.json

Somehow when I tried http://localhost:4502/content/geometrixx/en.acl.json I get 404 error

I am not sure whether we have to do some configuration in order to get acl info of the node.

If you get json info from the URL you can filter out for a particular permission.

88858280 · 10/15/15

Hi J'org,

This is a query I got from one of the forums. Can you confirm if this can be used:

select * from [rep:GrantACE] where ISDESCENDANTNODE([/PATHSPECIFIED/]) and [rep:privileges] ='jcr:read'

Thanks,

Techno

Jörg_Hoh · 10/15/15

This gives you all the nodes, which have are a rep:GrantACE nodes which give read permissions. But you don't take the ACL inheritance into account.

What you can do: the results of a query are filtered through the permissions of the sessions (which reflects the permissions of the user, which logged in); when you have a user, for which you want to know the documents which she can read, either just iterate through all of them or perform a query; you don't need to filter by any ACL yourself, as the repository is doing that.

Remember: When you have a session, you can only access nodes the user has read permissions on. Be it via session.getNode() or via JCR query.

kind regards,
Jörg