in src/main/java/org/apache/sling/jcr/repoinit/impl/AclUtil.java [318:368]
public static void removeEntries(
@NotNull SessionContext context,
@NotNull List<String> principals,
@NotNull List<String> paths,
List<String> privileges,
boolean isAllow,
List<RestrictionClause> restrictionClauses)
throws RepositoryException {
Set<String> principalNames = new HashSet<>(principals);
AccessControlManager acMgr = context.getAccessControlManager();
for (String jcrPath : getJcrPaths(context.getSession(), paths)) {
if (!isValidPath(context.getSession(), jcrPath)) {
LOG.info("Cannot remove access control entries on non-existent path {}", jcrPath);
} else {
JackrabbitAccessControlList acl = getAccessControlList(acMgr, jcrPath, false);
if (acl != null) {
boolean modified = false;
LocalRestrictions restr = createLocalRestrictions(restrictionClauses, acl, context.getSession());
for (AccessControlEntry ace : acl.getAccessControlEntries()) {
Principal principal = ace.getPrincipal();
if (!principalNames.contains(principal.getName())) {
continue;
}
LocalAccessControlEntry entry = new LocalAccessControlEntry(
context, ace.getPrincipal(), privileges.toArray(new String[0]), isAllow, restr);
if (entry.isEqual(ace)) {
acl.removeAccessControlEntry(ace);
modified = true;
}
}
if (modified) {
acMgr.setPolicy(jcrPath, acl);
} else {
LOG.info(
"No matching access control entry found to remove for principals {} at {}. Expected entry with isAllow={}, privileges={}, restrictions={}",
principalNames,
jcrPath,
isAllow,
privileges,
restrictionClauses);
}
} else {
LOG.info(
"Cannot remove access control entries for principal(s) {}. No ACL at {}",
principalNames,
jcrPath);
}
}
}
}