Hi Marco Upon checkin of a versionable node (and it's non-versionable subtree) becomes read-only. I think the first behavior is a bug. Changing permissions of a checked-in node should not be possible. The reason why you are seeing it in the second case is due to the fact that a mixin is automatically added to the checked-in node. But also the modification of access control content in the subtree should trigger the exception (which it doesn't apparently)
Here a quote from the specification: The node N and its connected non-versionable subtree become read-only. N's connected non-versionable subtree is the set of non-versionable descendant nodes reachable from N through child links without encountering any versionable nodes. In other words, the read-only status flows down from the checked-in node along every child link until either a versionable node is encountered or an item with no children is encountered. Since the policy node and the access controlled content stored therein is not versionable the checkin status of it's versionable parent (or ancestor for that matter) should be enforced. May I ask you to create a JIRA ticket for that? Thanks Angela ________________________________________ From: Marco Piovesana <[email protected]> Sent: Tuesday, October 30, 2018 7:05 PM To: [email protected] Subject: ACL on versioned node Hi all, I'm using Oak 1.8.1 and I don't think I fully understand how permissions are handled in versioned nodes. If I create the first version of a node *after* adding an ACE to it, then I can add or remove other ACE without having to checkout the node. If I create the first version of the node *before* adding the first ACE, then I get the error (*OakVersion0001: Cannot change property jcr:mixinTypes on checked in node*) whenever i try to modify the node permissions without checking it out first. what is the expected behavior? Checkout should be required or not to modify the user's permission on the node? Marco.
