in src/main/java/org/apache/sling/jcr/repoinit/impl/AclUtil.java [162:209]
private static void setAcl(
SessionContext context,
List<String> principals,
String jcrPath,
List<String> privileges,
boolean isAllow,
List<RestrictionClause> restrictionClauses,
List<String> options)
throws RepositoryException {
AccessControlManager acMgr = context.getAccessControlManager();
final String[] privArray = privileges.toArray(new String[0]);
JackrabbitAccessControlList acl = getAccessControlList(acMgr, jcrPath, true);
checkState(acl != null, "No JackrabbitAccessControlList available for path {0}", jcrPath);
LocalRestrictions localRestrictions = createLocalRestrictions(restrictionClauses, acl, context.getSession());
AccessControlEntry[] existingAces = acl.getAccessControlEntries();
boolean changed = false;
final boolean ignoreMissingPrincipal = Optional.ofNullable(options)
.map(o -> o.contains(AclVisitor.OPTION_IGNORE_MISSING_PRINCIPAL))
.orElse(false);
for (String name : principals) {
final Principal principal = getPrincipal(context, name, ignoreMissingPrincipal);
LocalAccessControlEntry newAce =
new LocalAccessControlEntry(context, principal, privArray, isAllow, localRestrictions);
if (contains(existingAces, newAce)) {
LOG.info(
"Not adding {} to path {} since an equivalent access control entry already exists",
newAce,
jcrPath);
continue;
}
acl.addEntry(
newAce.principal,
newAce.getPrivilegeCollection().getPrivileges(),
newAce.isAllow,
newAce.restrictions.getRestrictions(),
newAce.restrictions.getMVRestrictions());
changed = true;
}
if (changed) {
acMgr.setPolicy(jcrPath, acl);
}
}