in src/main/java/org/apache/sling/jcr/repoinit/impl/AclUtil.java [370:443]
public static void setPrincipalAcl(
SessionContext context, String principalName, Collection<AclLine> lines, boolean isStrict)
throws RepositoryException {
final JackrabbitAccessControlManager acMgr = context.getAccessControlManager();
Principal principal = context.getPrincipalWithSave(principalName);
checkState(principal != null, PRINCIPAL_NOT_FOUND_PATTERN, principalName);
final PrincipalAccessControlList acl = getPrincipalAccessControlList(acMgr, principal, true);
if (acl == null && isStrict) {
String principalDescription = principal.getName();
// try to get path of principal in case it is backed by a JCR user/group
if (principal instanceof ItemBasedPrincipal) {
principalDescription += " (" + ((ItemBasedPrincipal) principal).getPath() + ")";
}
throw new IllegalStateException(
"No PrincipalAccessControlList available for principal '" + principalDescription + "'.");
}
boolean modified = false;
for (AclLine line : lines) {
AclLine.Action action = line.getAction();
List<String> jcrPaths = getJcrPaths(context.getSession(), line.getProperty(PROP_PATHS));
if (action == AclLine.Action.DENY) {
throw new AccessControlException("PrincipalAccessControlList doesn't support 'deny' entries.");
} else if (action == AclLine.Action.REMOVE) {
throw new IllegalArgumentException(
AclLine.Action.REMOVE + " is not supported. Use 'remove principal acl' instead.");
} else if (action == AclLine.Action.REMOVE_ALL) {
if (removePrincipalEntries(acl, principalName, entry -> jcrPaths.contains(entry.getEffectivePath()))) {
modified = true;
}
} else if (action == AclLine.Action.ALLOW) {
final String[] privilegeNames =
line.getProperty(PROP_PRIVILEGES).toArray(new String[0]);
for (String effectivePath : jcrPaths) {
if (acl == null) {
// no PrincipalAccessControlList available: don't fail if an equivalent path-based entry with
// the same definition exists
// or if there exists no node at the effective path (unable to evaluate path-based entries).
LOG.info("No PrincipalAccessControlList available for principal {}", principal);
if (!containsEquivalentEntry(
context, effectivePath, principal, privilegeNames, true, line.getRestrictions())) {
LOG.warn(
"No equivalent path-based entry exists for principal {} and effective path {} ",
principal.getName(),
effectivePath);
return;
}
} else {
final LocalRestrictions restrictions =
createLocalRestrictions(line.getRestrictions(), acl, context.getSession());
final boolean added = acl.addEntry(
effectivePath,
context.privilegeCollectionFromNames(privilegeNames)
.getPrivileges(),
restrictions.getRestrictions(),
restrictions.getMVRestrictions());
if (!added) {
LOG.info(
"Equivalent principal-based entry already exists for principal {} and effective path {} ",
principalName,
effectivePath);
} else {
modified = true;
}
}
}
} else {
throw new IllegalArgumentException("Unknown action " + action);
}
}
if (modified) {
acMgr.setPolicy(acl.getPath(), acl);
}
}