use of javax.jcr.AccessDeniedException in project jackrabbit-oak by apache.
the class L5_SpecialPermissionsTest method testUserManagement.
@Test
public void testUserManagement() throws RepositoryException {
// EXERCISE: fix the permission setup and explain why!
// grant full access to all users for 'testGroup'...
paths.add(UserConstants.DEFAULT_USER_PATH);
AccessControlUtils.addAccessControlEntry(superuser, UserConstants.DEFAULT_USER_PATH, testGroupPrincipal, new String[] { Privilege.JCR_ALL }, true);
// ... but prevent the test user to write the admin user
String adminPath = ((JackrabbitSession) superuser).getUserManager().getAuthorizable(superuser.getUserID()).getPath();
paths.add(adminPath);
AccessControlUtils.addAccessControlEntry(superuser, adminPath, EveryonePrincipal.getInstance(), new String[] { PrivilegeConstants.REP_WRITE }, false);
// execute the test verifying that pw of 'testUser2' can be change
// but not the pw of the admin user
JackrabbitSession s = (JackrabbitSession) createTestSession();
User u2 = s.getUserManager().getAuthorizable(testUser2.getID(), User.class);
u2.changePassword("gugus");
s.save();
try {
User admin = s.getUserManager().getAuthorizable(superuser.getUserID(), User.class);
admin.changePassword("gugus");
s.save();
fail("privilege escalation!");
} catch (AccessDeniedException e) {
// success
} finally {
s.refresh(false);
}
}
use of javax.jcr.AccessDeniedException in project jackrabbit-oak by apache.
the class AbstractAutoCreatedPropertyTest method testReplaceNode.
@Test
public void testReplaceNode() throws Exception {
allow(path, privilegesFromNames(new String[] { Privilege.JCR_MODIFY_PROPERTIES, Privilege.JCR_NODE_TYPE_MANAGEMENT }));
testSession.removeItem(targetNode.getPath());
Node newNode = testSession.getNode(childNPath).addNode(targetNode.getName(), targetNode.getPrimaryNodeType().getName());
newNode.addMixin(getMixinName());
try {
testSession.save();
fail();
} catch (AccessDeniedException e) {
testSession.refresh(false);
}
}
use of javax.jcr.AccessDeniedException in project jackrabbit-oak by apache.
the class AccessControlManagementTest method testReadAccessControlWithoutPrivilege.
@Test
public void testReadAccessControlWithoutPrivilege() throws Exception {
// re-grant READ in order to have an ACL-node
Privilege[] privileges = privilegesFromName(Privilege.JCR_READ);
JackrabbitAccessControlList tmpl = allow(path, privileges);
String policyPath = tmpl.getPath() + "/rep:policy";
// make sure the 'rep:policy' node has been created.
assertTrue(superuser.itemExists(policyPath));
/*
Testuser must still have READ-only access only and must not be
allowed to view the acl-node nor any item in the subtree that
has been created.
*/
assertFalse(testAcMgr.hasPrivileges(path, privilegesFromName(Privilege.JCR_READ_ACCESS_CONTROL)));
assertFalse(testSession.itemExists(policyPath));
assertFalse(testSession.nodeExists(policyPath));
try {
testSession.getNode(policyPath);
fail("Accessing the rep:policy node must throw PathNotFoundException.");
} catch (PathNotFoundException e) {
// ok.
}
try {
testAcMgr.getPolicies(tmpl.getPath());
fail("test user must not have READ_AC privilege.");
} catch (AccessDeniedException e) {
// success
}
try {
testAcMgr.getEffectivePolicies(tmpl.getPath());
fail("test user must not have READ_AC privilege.");
} catch (AccessDeniedException e) {
// success
}
for (NodeIterator aceNodes = superuser.getNode(policyPath).getNodes(); aceNodes.hasNext(); ) {
Node aceNode = aceNodes.nextNode();
String aceNodePath = aceNode.getPath();
assertFalse(testSession.nodeExists(aceNodePath));
for (PropertyIterator it = aceNode.getProperties(); it.hasNext(); ) {
assertFalse(testSession.propertyExists(it.nextProperty().getPath()));
}
}
}
use of javax.jcr.AccessDeniedException in project jackrabbit-oak by apache.
the class AccessControlManagementTest method testAccessControlModificationWithoutPrivilege.
@Test
public void testAccessControlModificationWithoutPrivilege() throws Exception {
// give 'testUser' ADD_CHILD_NODES|MODIFY_PROPERTIES| REMOVE_CHILD_NODES privileges at 'path'
Privilege[] privileges = privilegesFromNames(new String[] { Privilege.JCR_ADD_CHILD_NODES, Privilege.JCR_REMOVE_CHILD_NODES, Privilege.JCR_MODIFY_PROPERTIES });
JackrabbitAccessControlList tmpl = allow(path, privileges);
String policyPath = tmpl.getPath() + "/rep:policy";
// make sure the 'rep:policy' node has been created.
assertTrue(superuser.itemExists(policyPath));
/*
testuser must not have
- permission to modify AC items
*/
try {
testAcMgr.setPolicy(tmpl.getPath(), tmpl);
fail("test user must not have MODIFY_AC privilege.");
} catch (AccessDeniedException e) {
// success
}
try {
testAcMgr.removePolicy(tmpl.getPath(), tmpl);
fail("test user must not have MODIFY_AC privilege.");
} catch (AccessDeniedException e) {
// success
}
}
use of javax.jcr.AccessDeniedException in project jackrabbit-oak by apache.
the class AccessControlManagementTest method testReorderPolicyNode.
@Test
public void testReorderPolicyNode() throws Exception {
Node n = testSession.getNode(path);
try {
if (!n.getPrimaryNodeType().hasOrderableChildNodes()) {
throw new NotExecutableException("Reordering child nodes is not supported..");
}
n.orderBefore(Text.getName(childNPath2), Text.getName(childNPath));
testSession.save();
fail("test session must not be allowed to reorder nodes.");
} catch (AccessDeniedException e) {
// success.
}
// grant all privileges
allow(path, privilegesFromNames(new String[] { Privilege.JCR_ALL }));
n.orderBefore(Text.getName(childNPath2), Text.getName(childNPath));
testSession.save();
n.orderBefore("rep:policy", Text.getName(childNPath2));
testSession.save();
}
Aggregations