I am using the Spring ACL plugin in grails 1.3.7, but my question is probably more general than this: I would like to allow users who have BasePermission.READaccess to the object to grant this same permission to other users. If user1 has read access to the document, he should be able to share this with user2 and thereby give him read access to the same document.
When the document is first created, user1 is granted read access, so I see this in the log:
DEBUG grails.app.service.org.grails.plugins.springsecurity.service.acl.AclUtilService Added permission BasePermission[...............................R=1] for Sid PrincipalSid[User user1] for com.fxpal.ara.Document with id 1
Then I try to grant READ permission to user2 when authenticating as user1, I get this exception:
org.springframework.security.acls.model.NotFoundException: Unable to locate a matching ACE for passed permissions and SIDs
So my questions are: 1. Is it required to BasePermission.ADMINISTRATIONallow users to grant permissions to other users? 2. Is there any other way to grant permissions if only partial permissions are available? Where is this policy implemented and can it be replaced?
Update:
Well, I thought that I could add a new implementation AclAuthorizationStrategythat defines the method public void securityCheck(Acl acl, int changeType), but this method does not accept the requested permission as a parameter, violating my strategy for checking compatible permissions. The next thing to do is recompile AclImpl to use different logic. It seems embarrassing to repeat most of the same code ...
source
share