I'm trying to create some groups and permissions to lock down certain parts of CQ5.5 to particular users. For the most part everything is ok, but I seem to keep hitting a barrier with the stuttering barista.
When I create a user, they have no permissions by default (aside from some /home ones if I understand correctly). When I log in with this user, I get:
No resource found
Cannot serve request to /libs/cq/core/content/welcome.html in /libs/sling/servlet/errorhandler/404.jsp
All good, expected that.
If I add read access to the root node for this user, after logging in everything looks ok as if I've logged in as an admin. Permissions shown here:
But if I remove root node read access, and then give every sub node underneath root read access
and log in after this, the RHS menu errors with :
The error.log gives:
14.02.2013 01:43:22.885 *ERROR* [123.456.789.123  GET /libs/cq/core/content/welcome.html HTTP/1.1] org.apache.sling.engine.impl.SlingRequestProcessorImpl service: Uncaught SlingException org.apache.sling.api.SlingException: javax.servlet.ServletException: javax.jcr.AccessDeniedException: cannot read item cafebabe-cafe-babe-cafe-babecafebabe
The only surface difference I see between the two is the lack of /bin having read permission. When I try to add read permisson to /bin I get a popup saying
No modifiable ACL at /bin
Also, there's asterisks next to all of the selected nodes, which were not present when selecting the root node. The CQ5 docs state the following:
For an action at a given path:
|* (asterisk)||There is at least one local entry (either effective or ineffective). These wildcard ACLs are defined in CRX.|
|! (exclamation mark)||There is at least one entry that currently has no effect.|
When you hover over the asterisk or exclamation mark, a tooltip provides more details about the declared entries. The tooltip is split into two parts:
Lists the effective entries.
|Lower part||Lists the noneffective entries that may have an effect somewhere else in the tree (as indicated by a special attribute present with the corresponding ACE limiting the scope of the entry). Alternatively, this is an entry whose effect has been revoked by another entry defined at the given path or at an ancestor node.|
When I hover over the asterisks, I get the message
To me, this means everything is allowed. The docs also state that permissions are inherited.
So I guess my questions are:
- Why doesn't selecting all nodes directly under the root node yield the same results as selecting the root node itself?
- Why can't I select the /bin node manually, but it can be selected by default when selecting the root node?
- Is there a way to see down the tree structure what nodes are selected or not without manually opening every branch one by one?
- Where is cafebabe-cafe-babe-cafe-babecafebabe and what permissions do I need to access this?
I think I have more questions, but I'm tired. Need coffee. Where's cafebabe...?