OAK-8689 : AccessControlManager.getEffectivePolicies doesn't include …

…ReadPolicy for subtrees git-svn-id: https://svn.apache.org/repos/asf/jackrabbit/oak/trunk@1868229 13f79535-47bb-0310-9956-ffa450edef68
sammiee2000 · Oct 10, 2019 · db8ded9 · db8ded9
1 parent 54bb726
commit db8ded9
Show file tree

Hide file tree

Showing 2 changed files with 42 additions and 1 deletion.
diff --git a/.../apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImpl.java b/.../apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImpl.java
@@ -167,12 +167,27 @@ public AccessControlPolicy[] getEffectivePolicies(@Nullable String absPath) thro
                 parentPath = (PathUtils.denotesRoot(parentPath)) ? "" : Text.getRelativeParent(parentPath, 1);
             }
         }
-        if (readPaths.contains(oakPath)) {
+        if (isEffectiveReadPath(oakPath)) {
             effective.add(ReadPolicy.INSTANCE);
         }
         return effective.toArray(new AccessControlPolicy[0]);
     }
 
+    private boolean isEffectiveReadPath(@Nullable String oakPath) {
+        if (oakPath == null) {
+            return false;
+        }
+        if (readPaths.contains(oakPath)) {
+            return true;
+        }
+        for (String rp : readPaths) {
+            if (Text.isDescendant(rp, oakPath)) {
+                return true;
+            }
+        }
+        return false;
+    }
+
     @NotNull
     @Override
     public AccessControlPolicyIterator getApplicablePolicies(@Nullable String absPath) throws RepositoryException {

diff --git a/...t/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ReadPolicyTest.java b/...t/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ReadPolicyTest.java
@@ -79,6 +79,17 @@ public void testGetPolicies() throws Exception {
         }
     }
 
+    @Test
+    public void tsetGetPoliciesInSubtrees() throws Exception {
+        for (String path : subTreePaths) {
+            for (AccessControlPolicy policy : getAccessControlManager(root).getPolicies(path)) {
+                if (policy instanceof ReadPolicy) {
+                    fail("ReadPolicy must only be bound to configured path.");
+                }
+            }
+        }
+    }
+
     @Test
     public void testGetEffectivePolicies() throws Exception {
         for (String path : readPaths) {
@@ -94,6 +105,21 @@ public void testGetEffectivePolicies() throws Exception {
         }
     }
 
+    @Test
+    public void testGetEffectivePoliciesInSubTrees() throws Exception {
+        for (String path : subTreePaths) {
+            AccessControlPolicy[] policies = getAccessControlManager(root).getEffectivePolicies(path);
+            boolean found = false;
+            for (AccessControlPolicy policy : policies) {
+                if (policy instanceof ReadPolicy) {
+                    found = true;
+                    break;
+                }
+            }
+            assertTrue(found);
+        }
+    }
+
     @Test
     public void testGetName() throws Exception {
         AccessControlPolicy[] policies = getAccessControlManager(root).getPolicies(readPaths.iterator().next());