Expand my Community achievements bar.

Don’t miss the AEM Skill Exchange in SF on Nov 14—hear from industry leaders, learn best practices, and enhance your AEM strategy with practical tips.
SOLVED

Query on ACL Permissions

Avatar

Level 2

I am able to get a list of nodes using my query but want to get a list of nodes using certain permissions for e.g. list of nodes having read only permissions

Is it possible to restrict the nodes using ACL permissions.

Any query example to accomplish this would be great.

1 Accepted Solution

Avatar

Correct answer by
Employee Advisor

I guess, that's not possible via JCR Query; mostly because the access control system used by Jackrabbit (by default) and AEM relies on inheritance. So the permissions a user has on a certain node is not expressed as a node or properties, but is computed out of inherited ACEs and ACEs directly attached to the node, from both groups (recursivly) and the user itself.

So, you probably need to filter your query result via session.hasPermission().

kind regards,
Jörg

View solution in original post

4 Replies

Avatar

Correct answer by
Employee Advisor

I guess, that's not possible via JCR Query; mostly because the access control system used by Jackrabbit (by default) and AEM relies on inheritance. So the permissions a user has on a certain node is not expressed as a node or properties, but is computed out of inherited ACEs and ACEs directly attached to the node, from both groups (recursivly) and the user itself.

So, you probably need to filter your query result via session.hasPermission().

kind regards,
Jörg

Avatar

Level 9

You can try this link 

http://sling.apache.org/site/managing-users-and-groups-jackrabbitusermanager.html

As per the documentation from Yogesh, we should be able to get the info about a particular not as

http://www.wemblog.com/2012/03/how-to-do-user-management-using-post.html
Read Permission:

$ curl -u admin:admin -F:applyTo=myuser http://localhost:4502/<Path>.acl.json

OR

$ curl -u admin:admin -F:applyTo=myuser http://localhost:4502/<Path>.eacl.json

Somehow when I tried http://localhost:4502/content/geometrixx/en.acl.json I get 404 error

I am not sure whether we have to do some configuration in order to get acl info of the node.

If you get json info from the URL you can filter out for a particular permission.

Avatar

Level 2

Hi J'org,

This is a query I got from one of the forums. Can you confirm if this can be used:

select * from [rep:GrantACE] where ISDESCENDANTNODE([/PATHSPECIFIED/]) and [rep:privileges] ='jcr:read'

Thanks,

Techno

Avatar

Employee Advisor

This gives you all the nodes, which have are a rep:GrantACE nodes which give read permissions.  But you don't take the ACL inheritance into account.

What you can do: the results of a query are filtered through the permissions of the sessions (which reflects the permissions of the user, which logged in); when you have a user, for which you want to know the documents which she can read, either just iterate through all of them or perform a query; you don't need to filter by any ACL yourself, as the repository is doing that.

Remember: When you have a session, you can only access nodes the user has read permissions on. Be it via session.getNode() or via JCR query.

kind regards,
Jörg