in src/main/java/org/apache/sling/jackrabbit/usermanager/impl/AuthorizablePrivilegesInfoImpl.java [164:193]
public boolean canAddUser(Session jcrSession) {
boolean hasRights = false;
try {
//if self-registration is enabled, then anyone can create a user
if (selfRegistrationEnabled) {
hasRights = true;
} else {
UserManager userManager = AccessControlUtil.getUserManager(jcrSession);
Authorizable currentUser = userManager.getAuthorizable(jcrSession.getUserID());
if (currentUser instanceof User && ((User)currentUser).isAdmin()) {
hasRights = true; //admin user has full control
} else {
if (usersPath != null) {
//check if the non-admin user has sufficient rights on the home folder
AccessControlManager acm = jcrSession.getAccessControlManager();
hasRights = acm.hasPrivileges(usersPath, new Privilege[] {
acm.privilegeFromName(Privilege.JCR_READ),
acm.privilegeFromName(Privilege.JCR_READ_ACCESS_CONTROL),
acm.privilegeFromName(Privilege.JCR_MODIFY_ACCESS_CONTROL),
acm.privilegeFromName(PrivilegeConstants.REP_WRITE),
acm.privilegeFromName(PrivilegeConstants.REP_USER_MANAGEMENT)
});
}
}
}
} catch (RepositoryException e) {
log.warn("Failed to determine if {} can add a new user", jcrSession.getUserID());
}
return hasRights;
}