Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
SEC-172: Allow SimpleAclEntry to take 'null' as recipient constructor argument #434
If I want to add only parent acl_object_identity link to a domain object, without creating any real acl entries so that I’m effecively inheriting all acl’s, I can do that by calling JdbcExtendedDaoImpl.create method with ‘null’ recipient.
However you can’t pass null recipient to SimpleAclEntry’s constructor because AbstractAclEntry’s constructor asserts that recipient is not null. You can work-aroud that by constructing SimpleAclEntry with "" recipient and then calling setRecipient(null), which works.
Is there any reason not to allow ‘null’ for recipient constructor argument, for saving a line of code? Or is there some other way of creating just acl_object_identity and parent link without acl’s?
Ben Alex said:
The BasicAclEntry interface defines the contract, which expressly states that getRecipient() should never return null. An issue is JdbcExtendedDaoImpl relies on getRecipient() being null to not create an acl_permission row. We can’t use a mask of zero, either, as that has meaning in terms of revoking permissions. Need to give this more thought.
Mikko Peltonen said:
Because of the inheritance stuff, I think we need separate creation/deletion methods for the ACL Identities, in addition to AclEntries.
Currently, I have a use case where I should be able to delete all ACL entries from a domain object, but NOT the AclObjectIdentity because domain object has child identity. Current contract of the BasicAclExtendedDao.delete deletes both all AclEntries AND the AclObjectIdentity, which is not acceptable in this case.