Hi,
I am wondering the reasoning behind not allowing a deny for a set of
permissions to be allowed on a group ?
In JR15
acl.ACLTemplate.addEntry() (ACLTemplate.java#329) calls
checkValidEntry at line 336 which at line 255 has
// additional validation: a group may not have 'denied' permissions
if (!isAllow && principal instanceof Group) {
throw new AccessControlException("For group principals
permissions can only be added but not denied.");
}
Which appears to be contrary to the advice given in [1], assuming CRX
is using the same or similar code.
Thanks
Ian
[1]
http://dev.day.com/discussion-groups/content/lists/crx-yahoo/2009-02/2009-02-05__jcr_crx_ACL_inheritance_agrusell.html
