Skip to content

Do not pre-validate restrictions #855

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Oct 7, 2025
Merged

Do not pre-validate restrictions #855

merged 2 commits into from
Oct 7, 2025

Conversation

kwin
Copy link
Member

@kwin kwin commented Oct 2, 2025

Oak takes care of that in
https://github.com/apache/jackrabbit-oak/blob/17281282fe82d0f0c4e86d0a42ecfb20bfe404e3/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ACL.java#L213 as soon as you try to apply those.
Otherwise you face exceptions when using restrictions only available at run-time in cloud (but not at build time).

This closes #854

@kwin kwin requested a review from ghenzler October 2, 2025 13:16
@kwin kwin force-pushed the bugfix/do-not-validate-restrictions branch from 0fc1f3b to a29cb18 Compare October 2, 2025 13:18
@ggruianc
Copy link

ggruianc commented Oct 2, 2025
edited
Loading

@kwin there is another restrictions pre-validation in

accesscontroltool/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/validators/impl/AceBeanValidatorImpl.java

Lines 134 to 144 in 8fdc6ba

final Set<String> allowedRestrictionNames = getSupportedRestrictions(aclManager);
if (!allowedRestrictionNames.containsAll(restrictionNamesFromAceBean)) {
restrictionNamesFromAceBean.removeAll(allowedRestrictionNames);
valid = false;
final String errorMessage = getBeanDescription(this.currentBeanCounter,
tmpAceBean.getAuthorizableId())
+ ", this repository doesn't support following restriction(s): "
+ restrictionNamesFromAceBean;
throw new InvalidRestrictionsException(errorMessage);
}

@kwin kwin force-pushed the bugfix/do-not-validate-restrictions branch from a29cb18 to 1c4b417 Compare October 2, 2025 15:52
@kwin
Copy link
Member Author

kwin commented Oct 2, 2025

@kwin there is another restrictions pre-validation in

Thanks, that validation should be removed now in 1c4b417

@kwin kwin requested a review from jochenkoschorke October 2, 2025 15:58
kwin added 2 commits October 2, 2025 18:17
@kwin
Do not pre-validate restrictions
6633128 
Oak takes care of that in
https://github.com/apache/jackrabbit-oak/blob/17281282fe82d0f0c4e86d0a42ecfb20bfe404e3/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ACL.java#L213
as soon as you try to apply those.
Otherwise you face exceptions when using restrictions only available at
run-time in cloud (but not at build time).

This closes #854
@kwin
Remove test for additional validation of restrictions
d6dfc43
@kwin kwin force-pushed the bugfix/do-not-validate-restrictions branch from 4662ece to d6dfc43 Compare October 2, 2025 16:18
@sonarqubecloud SonarQubeCloud
Copy link

sonarqubecloud bot commented Oct 2, 2025

Quality Gate Failed Quality Gate failed

Failed conditions
0.0% Coverage on New Code (required ≥ 31%)

See analysis details on SonarQube Cloud

ghenzler
ghenzler approved these changes Oct 7, 2025
View reviewed changes
accesscontroltool-bundle/src/test/resources/testconfig.yaml
restrictions:
rep:Glob: /cq:*
assertedException: InvalidRestrictionsException

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should not just remove assertedException but then also the test case with the comment

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For me this test shows that invalid restrictions do no longer lead to exceptions, therefore this is still helpful.

@kwin kwin merged commit b305efb into develop Oct 7, 2025
13 of 14 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ghenzler ghenzler ghenzler approved these changes

@jochenkoschorke jochenkoschorke Awaiting requested review from jochenkoschorke

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Metadata-driven permissions - Restrictions support
3 participants
@kwin @ggruianc @ghenzler