in src/main/java/org/apache/sling/jackrabbit/usermanager/impl/AuthorizablePrivilegesInfoImpl.java [134:159]
public boolean canAddGroup(Session jcrSession) {
boolean hasRights = false;
try {
UserManager userManager = AccessControlUtil.getUserManager(jcrSession);
Authorizable currentUser = userManager.getAuthorizable(jcrSession.getUserID());
if (currentUser instanceof User && ((User)currentUser).isAdmin()) {
hasRights = true; //admin user has full control
} else {
if (groupsPath != null) {
//check if the non-admin user has sufficient rights on the home folder
AccessControlManager acm = jcrSession.getAccessControlManager();
hasRights = acm.hasPrivileges(groupsPath, new Privilege[] {
acm.privilegeFromName(Privilege.JCR_READ),
acm.privilegeFromName(Privilege.JCR_READ_ACCESS_CONTROL),
acm.privilegeFromName(Privilege.JCR_MODIFY_ACCESS_CONTROL),
acm.privilegeFromName(PrivilegeConstants.REP_WRITE),
acm.privilegeFromName(PrivilegeConstants.REP_USER_MANAGEMENT)
});
}
}
} catch (RepositoryException e) {
log.warn("Failed to determine if {} can add a new group", jcrSession.getUserID());
}
return hasRights;
}