Expand my Community achievements bar.

SOLVED

Query on ACL Permissions

Avatar

Level 2
Level 2
10/15/15 7:26:03 PM

I am able to get a list of nodes using my query but want to get a list of nodes using certain permissions for e.g. list of nodes having read only permissions

Is it possible to restrict the nodes using ACL permissions.

Any query example to accomplish this would be great.

Views

2.2K

Replies

4
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Employee Advisor
Employee Advisor
10/15/15 7:26:03 PM

I guess, that's not possible via JCR Query; mostly because the access control system used by Jackrabbit (by default) and AEM relies on inheritance. So the permissions a user has on a certain node is not expressed as a node or properties, but is computed out of inherited ACEs and ACEs directly attached to the node, from both groups (recursivly) and the user itself.

So, you probably need to filter your query result via session.hasPermission().

kind regards,
Jörg

View solution in original post

Views

1.4K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
4 Replies

Avatar

Correct answer by
Employee Advisor
Employee Advisor
10/15/15 7:26:03 PM

I guess, that's not possible via JCR Query; mostly because the access control system used by Jackrabbit (by default) and AEM relies on inheritance. So the permissions a user has on a certain node is not expressed as a node or properties, but is computed out of inherited ACEs and ACEs directly attached to the node, from both groups (recursivly) and the user itself.

So, you probably need to filter your query result via session.hasPermission().

kind regards,
Jörg

Views

1.4K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply

Avatar

Level 9
Level 9
10/15/15 7:26:03 PM

You can try this link 

http://sling.apache.org/site/managing-users-and-groups-jackrabbitusermanager.html

As per the documentation from Yogesh, we should be able to get the info about a particular not as

http://www.wemblog.com/2012/03/how-to-do-user-management-using-post.html
Read Permission:

$ curl -u admin:admin -F:applyTo=myuser http://localhost:4502/<Path>.acl.json

OR

$ curl -u admin:admin -F:applyTo=myuser http://localhost:4502/<Path>.eacl.json

Somehow when I tried http://localhost:4502/content/geometrixx/en.acl.json I get 404 error

I am not sure whether we have to do some configuration in order to get acl info of the node.

If you get json info from the URL you can filter out for a particular permission.

Views

1.4K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 2
Level 2
10/15/15 7:26:03 PM

Hi J'org,

This is a query I got from one of the forums. Can you confirm if this can be used:

select * from [rep:GrantACE] where ISDESCENDANTNODE([/PATHSPECIFIED/]) and [rep:privileges] ='jcr:read'

Thanks,

Techno

Views

1.6K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Employee Advisor
Employee Advisor
10/15/15 7:26:03 PM

This gives you all the nodes, which have are a rep:GrantACE nodes which give read permissions.  But you don't take the ACL inheritance into account.

What you can do: the results of a query are filtered through the permissions of the sessions (which reflects the permissions of the user, which logged in); when you have a user, for which you want to know the documents which she can read, either just iterate through all of them or perform a query; you don't need to filter by any ACL yourself, as the repository is doing that.

Remember: When you have a session, you can only access nodes the user has read permissions on. Be it via session.getNode() or via JCR query.

kind regards,
Jörg

Views

1.5K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate