Hi Guillaume, On Wed, 2016-04-13 at 17:52 +0200, Guillaume Lucazeau wrote: > Hello, > > I have a user granted jcr:read and jcr:write privileges on a resource > "parentNode". Under this resource, I have two nodes with type > sling:Folder, > and I've tried to move a node from one to the other. It fails with > "javax.jcr.AccessDeniedException: Not allowed to move node", until I > grant > my user the privilege "rep:write" on the "parentNode" resource. > > I don't get why I have to do that, the Sling documentation doesn't > even > talk about "rep:write", which according to Adobe documentation is "a > jackrabbit specific aggregate privilege of jcr:write > and jcr:nodeTypeManagement".
This is probably because jcr:nodeTypeManagement is required for managing mixins on a node type and setting a new primary type, including when creating new nodes. http://www.day.com/maven/jsr170/javadocs/jcr-2.0/javax/jcr/security/P rivilege.html#JCR_NODE_TYPE_MANAGEMENT I would guess that Session.move tries to set a node type for the destination node and that's why you need jcr:nodeTypeManagement as well. Robert > > I thought the privileges jcr:modifyProperties jcr:addChildNodes > jcr:removeNode jcr:removeChildNodes (aggregated in jcr:write) would > be > enough to move a node to another parent. I don't mind granting > "rep:write" > privilege to my user, but I would like to better understand why it's > required. > > I'm using Sling 7. > > Thank you for your help. > > Best regards, > Guillaume
