in src/main/java/org/apache/sling/jcr/jackrabbit/accessmanager/post/ModifyAceServlet.java [1014:1102]
protected void modifyAce( // NOSONAR
Session jcrSession, String resourcePath, String principalId, Map<String, String> privileges,
String order, Map<String, Value> restrictions, Map<String, Value[]> mvRestrictions,
Set<String> removeRestrictionNames, boolean autoSave, List<Modification> changes) throws RepositoryException {
Principal principal = validateArgs(jcrSession, resourcePath, principalId);
// Calculate a map of restriction names to the restriction definition.
// Use for fast lookup during the calls below.
AccessControlManager acm = AccessControlUtil.getAccessControlManager(jcrSession);
Map<String, RestrictionDefinition> srMap = buildRestrictionNameToDefinitionMap(resourcePath);
Map<Privilege, Integer> privilegeLongestDepthMap = PrivilegesHelper.buildPrivilegeLongestDepthMap(acm.privilegeFromName(PrivilegeConstants.JCR_ALL));
// first calculate what is currently stored in the ace
Map<Privilege, LocalPrivilege> privilegeToLocalPrivilegesMap = loadStoredAce(acm, resourcePath, principal, srMap);
//process the restrictions to remove
for (LocalPrivilege lp : privilegeToLocalPrivilegesMap.values()) {
if (lp.isAllow()) {
PrivilegesHelper.unallowRestrictions(privilegeToLocalPrivilegesMap, removeRestrictionNames, Collections.singleton(lp.getPrivilege()));
}
if (lp.isDeny()) {
PrivilegesHelper.undenyRestrictions(privilegeToLocalPrivilegesMap, removeRestrictionNames, Collections.singleton(lp.getPrivilege()));
}
}
// process the new restrictions
Set<LocalRestriction> localRestrictions = new HashSet<>();
if (restrictions != null) {
for (Entry<String, Value> entry : restrictions.entrySet()) {
RestrictionDefinition rd = srMap.get(entry.getKey());
if (rd == null) {
//illegal restriction name?
throw new AccessControlException(INVALID_OR_NOT_SUPPORTED_RESTRICTION_NAME_WAS_SUPPLIED);
}
localRestrictions.add(new LocalRestriction(rd, entry.getValue()));
}
}
if (mvRestrictions != null) {
for (Entry<String, Value[]> entry : mvRestrictions.entrySet()) {
RestrictionDefinition rd = srMap.get(entry.getKey());
if (rd == null) {
//illegal restriction name?
throw new AccessControlException(INVALID_OR_NOT_SUPPORTED_RESTRICTION_NAME_WAS_SUPPLIED);
}
localRestrictions.add(new LocalRestriction(rd, entry.getValue()));
}
}
// map the values to the privileges with that value
Map<PrivilegeValues, Set<Privilege>> privilegeValueToPrivilegesMap = new EnumMap<>(PrivilegeValues.class);
for (Entry<String, String> entry : privileges.entrySet()) {
String privilegeName = entry.getKey();
// for backward compatibility, deal with a prefixed value
if (privilegeName.startsWith("privilege@")) {
privilegeName = privilegeName.substring(10);
}
Privilege privilege = acm.privilegeFromName(privilegeName);
PrivilegeValues value = PrivilegeValues.valueOfParam(entry.getValue());
Set<Privilege> privilegesSet = privilegeValueToPrivilegesMap.computeIfAbsent(value, k -> new HashSet<>());
privilegesSet.add(privilege);
}
// process the new privileges
for (Entry<PrivilegeValues, Set<Privilege>> entry : privilegeValueToPrivilegesMap.entrySet()) {
switch (entry.getKey()) {
case GRANTED:
case ALLOW:
PrivilegesHelper.allow(privilegeToLocalPrivilegesMap, localRestrictions, entry.getValue());
break;
case DENIED:
case DENY:
PrivilegesHelper.deny(privilegeToLocalPrivilegesMap, localRestrictions, entry.getValue());
break;
case NONE:
PrivilegesHelper.none(privilegeToLocalPrivilegesMap, entry.getValue());
break;
default:
break;
}
}
// combine any aggregates that are still valid
PrivilegesHelper.consolidateAggregates(jcrSession, resourcePath, privilegeToLocalPrivilegesMap, privilegeLongestDepthMap);
modifyAce(jcrSession, resourcePath, principalId,
privilegeToLocalPrivilegesMap.values(), order,
autoSave, changes);
}