in src/main/java/org/apache/sling/jcr/repoinit/impl/AclUtil.java [138:175]
private static void setAcl(Session session, List<String> principals, String jcrPath, List<String> privileges, boolean isAllow, List<RestrictionClause> restrictionClauses)
throws RepositoryException {
AccessControlManager acMgr = session.getAccessControlManager();
final String [] privArray = privileges.toArray(new String[privileges.size()]);
final Privilege[] jcrPriv = AccessControlUtils.privilegesFromNames(acMgr, privArray);
JackrabbitAccessControlList acl = getAccessControlList(acMgr, jcrPath, true);
checkState(acl != null, "No JackrabbitAccessControlList available for path {0}", jcrPath);
LocalRestrictions localRestrictions = createLocalRestrictions(restrictionClauses, acl, session);
AccessControlEntry[] existingAces = acl.getAccessControlEntries();
boolean changed = false;
for (String name : principals) {
Principal principal = AccessControlUtils.getPrincipal(session, name);
if (principal == null) {
// backwards compatibility: fallback to original code treating principal name as authorizable ID (see SLING-8604)
final Authorizable authorizable = UserUtil.getAuthorizable(session, name);
checkState(authorizable != null, "Authorizable not found: {0}", name);
principal = authorizable.getPrincipal();
}
checkState(principal != null, PRINCIPAL_NOT_FOUND_PATTERN, name);
LocalAccessControlEntry newAce = new LocalAccessControlEntry(principal, jcrPriv, isAllow, localRestrictions);
if (contains(existingAces, newAce)) {
LOG.info("Not adding {} to path {} since an equivalent access control entry already exists", newAce, jcrPath);
continue;
}
acl.addEntry(newAce.principal, newAce.privileges, newAce.isAllow,
newAce.restrictions.getRestrictions(), newAce.restrictions.getMVRestrictions());
changed = true;
}
if ( changed ) {
acMgr.setPolicy(jcrPath, acl);
}
}