AceBeanInstallerIncremental does not detect permission changes for managed authorizables outside managed paths - Githubissues

Netcentric / accesscontroltool

Rights and roles management for AEM made easy

Eclipse Public License 1.0

150 stars 92 forks source link

AceBeanInstallerIncremental does not detect permission changes for managed authorizables outside managed paths #742

Closed kwin closed 2 months ago

kwin commented 2 months ago

The code at https://github.com/Netcentric/accesscontroltool/blob/6499e07816c37d82147b0e5954b0db15704fa400/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/aceinstaller/AceBeanInstallerIncremental.java#L65 tries to detect if ACEs need to be installed. For that it compares the config from the YAML with the state from the repo. Unfortunately it only considers ACEs in the repo at paths managed in the YAML (https://github.com/Netcentric/accesscontroltool/blob/6499e07816c37d82147b0e5954b0db15704fa400/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/aceinstaller/BaseAceBeanInstaller.java#L68) but not anywhere else.

The main advantage of the ACTool is that it also cleans up ACEs for managed authorizables which are not mentioned in the YAML config.

However this case is not considered for the default AceBeanInstallerIncremental service.

kwin commented 2 months ago

This is probably a regression of #155.

kwin commented 2 months ago

The clean up of ACEs outside managed paths, happens outside in https://github.com/Netcentric/accesscontroltool/blob/6499e07816c37d82147b0e5954b0db15704fa400/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/impl/AcInstallationServiceImpl.java#L334 therefore it works as expected.