hi konrad > you cannot limit creation of a new node with a specific node type (with a node > type restriction ACE) nor the migration of an existing node to a certain node > type to certain principals only.
for changing primary type should be doable if it applies to a dedicated subtree. what i wanted to state is: if you want it to be enforced for all nodes across the whole content tree it might become tricky to manage if additional entries allowed writing in a subtree.... so, the requirement 'for a given principal certain restrictions should be applied across the whole repository content' cannot easily be reflected with the resource-based access control model afaik. for adding nodes: note that jcr:addChildNodes privilege is evaluated on the parent and not for the node to be added. so, the restriction would need to be applied with an ACE that grants/denies adding the jcr:primaryType property which is mandatory for all nodes and thus is an indication of the add-node operation. > Therefore it is probably reasonable to document that it is not reasonable to > use > property evaluating restrictions with write permissions i wouldn't say that though. one just has to be aware that add/remove node is granted on the parent (remove also on the node itself). kind regards angela ________________________________ From: Konrad Windszus <[email protected]> Sent: Tuesday, January 10, 2023 11:15 To: [email protected] <[email protected]> Subject: Re: Authorisation Restrictions: When are those evaluated? EXTERNAL: Use caution when clicking on links or opening attachments. Thanks Angela for the response and happy new year to you as well > On 10. Jan 2023, at 10:27, Angela Schreiber <[email protected]> wrote: > > the current restriction API does not allow to limit to/for certain > principals. restrictions are not aware of the principal a given entry is > evaluated for but are only aware of the path and the item the permissions > applies to. The question was more whether the item which is evaluated by the restriction in the case of write operations is the before or after state in the repository. I guess it is just the before state, which means that you cannot limit creation of a new node with a specific node type (with a node type restriction ACE) nor the migration of an existing node to a certain node type to certain principals only. Therefore it is probably reasonable to document that it is not reasonable to use property evaluating restrictions with write permissions, am I right? Konrad
