[ https://issues.apache.org/jira/browse/SLING-6422?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16047529#comment-16047529 ]
Nitin Nizhawan commented on SLING-6422: --------------------------------------- [~bdelacretaz] I further verified that vault package manager also respects ordering. To verify I specified following aces {code} <allow jcr:primaryType="rep:GrantACE" rep:principalName="forms-users" rep:privileges="{Name}[rep:readProperties]"> <rep:restrictions jcr:primaryType="rep:Restrictions" rep:ntNames="{Name}[abc,def]"/> </allow> <allow1 jcr:primaryType="rep:GrantACE" rep:principalName="forms-users" rep:privileges="{Name}[jcr:addChildNodes]"> <rep:restrictions jcr:primaryType="rep:Restrictions" rep:ntNames="{Name}[abc,def]"/> </allow1> {code} Since in above case restrictions and principal are same, package manager merged the privileges as follows {code} <allow jcr:primaryType="rep:GrantACE" rep:principalName="forms-users" rep:privileges="{Name}[rep:readProperties,jcr:addChildNodes]"> <rep:restrictions jcr:primaryType="rep:Restrictions" rep:ntNames="{Name}[abc,def]"/> </allow> {code} Then I tried with order reversed for restriction values as follows {code} <allow jcr:primaryType="rep:GrantACE" rep:principalName="forms-users" rep:privileges="{Name}[rep:readProperties]"> <rep:restrictions jcr:primaryType="rep:Restrictions" rep:ntNames="{Name}[abc,def]"/> </allow> <allow1 jcr:primaryType="rep:GrantACE" rep:principalName="forms-users" rep:privileges="{Name}[jcr:addChildNodes]"> <rep:restrictions jcr:primaryType="rep:Restrictions" rep:ntNames="{Name}[def,abc]"/> </allow1> {code} In above case package manager did not merge ACEs because I think it also considers restrictions different. So, I suppose we should also consider restrictions with different ordering of values different. WDYT? > Allow for specifying oak restrictions with repoinit > --------------------------------------------------- > > Key: SLING-6422 > URL: https://issues.apache.org/jira/browse/SLING-6422 > Project: Sling > Issue Type: New Feature > Components: Repoinit > Reporter: Nitin Nizhawan > Attachments: SLING6422ApplyRestrictionsV2.patch, > SLING6422ApplyRestrictionsV3.patch, > SLING6422_interpretparsedrestrictionclause.patch, SLING-6422.patch > > > Allow for specifying oak restrictions with repoinit. Currently repoinit > allows one to ADD remove ACLs but there is no way to specify oak restrictions. > http://jackrabbit.apache.org/oak/docs/security/authorization/restriction.html -- This message was sent by Atlassian JIRA (v6.4.14#64029)