> On 10. Jan 2023, at 12:11, Angela Schreiber <[email protected]> wrote:
>
> hi konrad
>
>> you cannot limit creation of a new node with a specific node type (with a
>> node
>> type restriction ACE) nor the migration of an existing node to a certain node
>> type to certain principals only.
>
> for changing primary type should be doable if it applies to a dedicated
> subtree.
How exactly?
> what i wanted to state is: if you want it to be enforced for all nodes across
> the whole content tree it might become tricky to manage if additional entries
> allowed writing in a subtree.... so, the requirement 'for a given principal
> certain restrictions should be applied across the whole repository content'
> cannot easily be reflected with the resource-based access control model afaik.
>
> for adding nodes: note that jcr:addChildNodes privilege is evaluated on the
> parent and not for the node to be added. so, the restriction would need to be
> applied with an ACE that grants/denies adding the jcr:primaryType property
> which is mandatory for all nodes and thus is an indication of the add-node
> operation.
Granted, but as I might add the parent node of the restricted node type in the
same session that does not really help here, so I can still add the node with
the restricted node type, right?
>
>> Therefore it is probably reasonable to document that it is not reasonable to
>> use
>> property evaluating restrictions with write permissions
>
> i wouldn't say that though. one just has to be aware that add/remove node is
> granted on the parent (remove also on the node itself).
>
> kind regards
> angela
>
>
> ________________________________
> From: Konrad Windszus <[email protected]>
> Sent: Tuesday, January 10, 2023 11:15
> To: [email protected] <[email protected]>
> Subject: Re: Authorisation Restrictions: When are those evaluated?
>
> EXTERNAL: Use caution when clicking on links or opening attachments.
>
>
> Thanks Angela for the response and happy new year to you as well
>
>> On 10. Jan 2023, at 10:27, Angela Schreiber <[email protected]>
>> wrote:
>>
>> the current restriction API does not allow to limit to/for certain
>> principals. restrictions are not aware of the principal a given entry is
>> evaluated for but are only aware of the path and the item the permissions
>> applies to.
>
> The question was more whether the item which is evaluated by the restriction
> in the case of write operations is the before or after state in the
> repository.
>
> I guess it is just the before state, which means that you cannot limit
> creation of a new node with a specific node type (with a node type
> restriction ACE) nor the migration of an existing node to a certain node type
> to certain principals only.
>
> Therefore it is probably reasonable to document that it is not reasonable to
> use property evaluating restrictions with write permissions, am I right?
>
>
> Konrad
