use of javax.jcr.AccessDeniedException in project jackrabbit-oak by apache.
the class AccessControlManagementTest method testAccessControlModification.
@Test
public void testAccessControlModification() throws Exception {
// give 'testUser' READ_AC|MODIFY_AC privileges at 'path'
Privilege[] privileges = privilegesFromNames(new String[] { Privilege.JCR_READ_ACCESS_CONTROL, Privilege.JCR_MODIFY_ACCESS_CONTROL });
JackrabbitAccessControlList tmpl = allow(path, privileges);
/*
testuser must
- still have the inherited READ permission.
- must have permission to view AC items at 'path' (and below)
- must have permission to modify AC items at 'path'
testuser must not have
- permission to view AC items outside of the tree defined by path.
*/
// make sure the 'rep:policy' node has been created.
assertTrue(superuser.itemExists(tmpl.getPath() + "/rep:policy"));
// test: MODIFY_AC granted at 'path'
assertTrue(testAcMgr.hasPrivileges(path, privilegesFromName(Privilege.JCR_MODIFY_ACCESS_CONTROL)));
// test if testuser can READ access control on the path and on the
// entire subtree that gets the policy inherited.
AccessControlPolicy[] policies = testAcMgr.getPolicies(path);
testAcMgr.getPolicies(childNPath);
// test: READ_AC privilege does not apply outside of the tree.
try {
testAcMgr.getPolicies(siblingPath);
fail("READ_AC privilege must not apply outside of the tree it has applied to.");
} catch (AccessDeniedException e) {
// success
}
// test: MODIFY_AC privilege does not apply outside of the tree.
assertFalse(testAcMgr.hasPrivileges(siblingPath, privilegesFromName(Privilege.JCR_MODIFY_ACCESS_CONTROL)));
// test if testuser can modify AC-items
// 1) add an ac-entry
AccessControlList acl = (AccessControlList) policies[0];
acl.addAccessControlEntry(testUser.getPrincipal(), repWritePrivileges);
testAcMgr.setPolicy(path, acl);
testSession.save();
assertTrue(testAcMgr.hasPrivileges(path, privilegesFromName(Privilege.JCR_REMOVE_CHILD_NODES)));
// 2) remove the policy
testAcMgr.removePolicy(path, policies[0]);
testSession.save();
// privileges must be gone again...
try {
testAcMgr.getEffectivePolicies(childNPath);
fail("READ_AC privilege has been revoked -> must throw again.");
} catch (AccessDeniedException e) {
// success
}
// ... and since the ACE is stored with the policy all right except
// READ must be gone.
assertReadOnly(path);
}
use of javax.jcr.AccessDeniedException in project jackrabbit-oak by apache.
the class IndexManagementTest method testAddOakIndexWithoutPermission.
public void testAddOakIndexWithoutPermission() throws Exception {
allow(path, privilegesFromName(PrivilegeConstants.REP_WRITE));
Node n = testSession.getNode(path);
try {
n.addNode(IndexConstants.INDEX_DEFINITIONS_NAME);
testSession.save();
fail("AccessDeniedException expected. Test session is not allowed to add oak:index node.");
} catch (AccessDeniedException e) {
// success
}
}
use of javax.jcr.AccessDeniedException in project jackrabbit-oak by apache.
the class IndexManagementTest method testModifyIndexDefinitionWithoutPermission3.
public void testModifyIndexDefinitionWithoutPermission3() throws Exception {
Node indexDef = superuser.getNode(path).addNode(IndexConstants.INDEX_DEFINITIONS_NAME).addNode("myIndex", IndexConstants.INDEX_DEFINITIONS_NODE_TYPE);
indexDef.setProperty(IndexConstants.TYPE_PROPERTY_NAME, "myType");
indexDef.setProperty("customProp", "val");
superuser.save();
allow(path, privilegesFromName(PrivilegeConstants.REP_WRITE));
try {
Node n = testSession.getNode(path).getNode(IndexConstants.INDEX_DEFINITIONS_NAME).getNode("myIndex");
n.getProperty("customProp").setValue("val2");
testSession.save();
fail("AccessDeniedException expected. Test session is not allowed to modify index definition property.");
} catch (AccessDeniedException e) {
// success
}
}
use of javax.jcr.AccessDeniedException in project jackrabbit-oak by apache.
the class AbstractAutoCreatedPropertyTest method testRemoveReAddMixin.
@Test
public void testRemoveReAddMixin() throws Exception {
allow(path, privilegesFromNames(new String[] { Privilege.JCR_ADD_CHILD_NODES, Privilege.JCR_REMOVE_NODE, Privilege.JCR_REMOVE_CHILD_NODES }));
try {
Node refNode = testSession.getNode(targetNode.getPath());
refNode.removeMixin(getMixinName());
refNode.addMixin(getMixinName());
testSession.save();
fail();
} catch (AccessDeniedException e) {
// success
}
}
use of javax.jcr.AccessDeniedException in project jackrabbit-oak by apache.
the class AbstractAutoCreatedPropertyTest method testReplaceNode3.
@Test
public void testReplaceNode3() throws Exception {
allow(path, privilegesFromNames(new String[] { Privilege.JCR_REMOVE_CHILD_NODES, Privilege.JCR_NODE_TYPE_MANAGEMENT }));
testSession.removeItem(targetNode.getPath());
Node newNode = testSession.getNode(childNPath).addNode(targetNode.getName(), targetNode.getPrimaryNodeType().getName());
newNode.addMixin(getMixinName());
try {
testSession.save();
fail();
} catch (AccessDeniedException e) {
testSession.refresh(false);
}
}
Aggregations