Usually it is not required for a application to check the privileges/permissions of a given session (or set of principals) as this evaluation can be left to the repository.
For rare cases where the application needs to understand if a given session is actually allowed to perform a given action, it is recommend to use Session.hasPermission(String, String)
or JackrabbitSession.hasPermission(String, String...)
In order to test permissions that are not reflected in the action constants defined on Session
or JackrabbitSession
, the default implementation also allows to pass the names of the Oak internal permission.
Alternatively, AccessControlManager.hasPrivileges(String, Privilege[])
can be used.
The subtle differences between the permission-testing Session
and the evaluation of privileges on AccessControlManager
are listed below.
Session.hasPermission(String absPath, String actions)
Session.checkPermission(String absPath, String actions)
JackrabbitSession.hasPermission(String absPath, @Nonnull String... actions)
Where
absPath
is an absolute path pointing to an existing or non-existing item (node or property)actions
defines a comma-separated string (or string array respectively) of the actions defined on Session
and JackrabbitSession
(see below). With the default implementation also Oak internal permission names are allowed ( Note: permission names != privilege names)See section Permissions for a comprehensive list and the mapping from actions to permissions.
ACTION_ADD_NODE
is evaluating if the node at the specified absPath can be added; i.e. the path points to the non-existing node you want to addAccessControlManager.hasPrivileges(String absPath, Privilege[] privileges)
AccessControlManager.getPrivileges(String absPath)
Where
absPath
must point to an existing Node (i.e. existing and accessible to the editing session)privileges
represent an array of supported privileges (see corresponding API calls)For testing purpose the Jackrabbit extension further allows to verify the privileges granted to a given combination of principals, which may or may not reflect the actual principal-set assigned to a given Subject
. These calls (see below) however requires the ability to read access control content on the target path.
JackrabbitAccessControlManager.hasPrivileges(String absPath, Set<Principal> principals, Privilege[] privileges)
JackrabbitAccessControlManager.getPrivileges(String absPath, Set<Principal> principals)
jcr:addChildNode
evaluates if any child can be added at the parent node identify by the specified absPath. The name of child is not known here!