Dear Modeshape community,
we figured out the strange Modeshape behaviour regarding the ACL checking for "admin" role. Here our use-case:
1. User with admin role sets ACL's to a node
2. The ACL contains read-permission for "User 1" and "User 2"
3. The code to set the ACL looks like that:
Credentials credentials = new SimpleCredentials("admin", "password".toCharArray());
// Create a session to the repository default
session = repository.login(credentials, "default");
//Get node by ID
repoSession.getNodeByIdentifier("a05563e9-05e9-47d4-b031-c04ddeb8fb12");
//Get Access control manager
AccessControlManager acm = session.getAccessControlManager();
//Get ACL for the node
AccessControlList acl = null;
AccessControlPolicyIterator it = acm.getApplicablePolicies(node.getPath());
if (it.hasNext()) {
acl = (AccessControlList)it.nextAccessControlPolicy();
} else {
acl = (AccessControlList)acm.getPolicies(node.getPath())[0];
}
//Set acl for User 1
acl.addAccessControlEntry(new RepositoryPrincipal("user1"), new Privilege[]{Privilege.JCR_READ});
//Set acl for User 2
acl.addAccessControlEntry(new RepositoryPrincipal("user2"), new Privilege[]{Privilege.JCR_READ});
//Set the policy for path
cm.setPolicy(node.getPath(), acl);
//Save the session
ession.save();
4. After execution of this code, the "user1" and "user2" are able to access read-only the node, but the "admin" user do not!
Does it means for us, every time if we set ACL's we need to add Privlige.JCR_ALL permission for the "admin" user? Or may be Modeshape provides a "System" - account, that allows dealing with all nodes in Repository?
Thanks in advance!
Best regards
Vitali