Hi!
While working on User/Group setup I faced the problem.
I have such an hierarchy:
sling:OrderedFolder (folder1)
|__cq:Page (page1)
|__cq:Page (page2)
|__cq:Page (subpage1)
|__...
|__cq:Page (subpageN)
|__...
|__cq:Page (pageN)
I need deny access to all the pages except page1 and page2/subpage1.
So, restricted hierarchy must be the following:
sling:OrderedFolder (folder1)
|__cq:Page (page1)
|__cq:Page (page2)
|__cq:Page (subpage1).
I need use Wildcard ACLs (using rep:glob) because total amount of pages is unknown and differs from one environment to another.
My _rep_policy.xml for the folder1`s parent level is:
<?xml version="1.0" encoding="UTF-8"?> <jcr:root xmlns:crx="http://www.day.com/crx/1.0" xmlns:jcr="http://www.jcp.org/jcr/1.0" xmlns:rep="internal" jcr:primaryType="rep:ACL"> <deny jcr:primaryType="rep:DenyACE" rep:principalName="editors" rep:privileges="{Name}[jcr:read]"> <rep:restrictions jcr:primaryType="rep:Restrictions" rep:glob="/folder1/*" rep:ntNames="{Name}[cq:Page]"/> </deny> <allow0 jcr:primaryType="rep:GrantACE" rep:principalName="editors" rep:privileges="{Name}[jcr:read]"> <rep:restrictions jcr:primaryType="rep:Restrictions" rep:glob="/folder1/page2"/> </allow0> <deny0 jcr:primaryType="rep:DenyACE" rep:principalName="editors" rep:privileges="{Name}[jcr:read]"> <rep:restrictions jcr:primaryType="rep:Restrictions" rep:glob="/folder1/page2/*" rep:ntNames="{Name}[cq:Page]"/> </deny0> </jcr:root>
In useradmin console checkboxes are choosen correctly but when I try to open siteadmin the following exception appears:
org.apache.sling.jcr.resource.internal.helper.jcr.JcrNodeResourceIterator seek: Problem creating Resource for next node, skipping
javax.jcr.RepositoryException: Node /folder1/page2 doesn't have primary type set.
Besides, http://localhost:4502/folder1/page2.json returns 404 error.
My assumption is that rep:glob="/folder1/page2/*" as well as children denies parent node (page2).
Does anyone know how to restrict all the pages except one using Wildcard ACL to implement needed hierarchy?
Thank you in advance!