[ https://issues.apache.org/jira/browse/SLING-9871?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17302666#comment-17302666 ]
Bertrand Delacretaz commented on SLING-9871: -------------------------------------------- Thanks for the clarifications. Looking at [1] again I have a feeling that what counts is the _final order of ACL entries in the repository_ and the order in which they are executed by repoinit does not really matter. Especially as existing ACLs in the repository might not be part of the current repoinit script. IIUC what happens at [1] is that {{AccessControlUtil.reorderAccessControlEntries}} [2] is called to reorder the list of ACLs based on the first, last, before and numeric order values. We might do the same with repoinit but I'm not a fan of the first, last and numeric order options. What happens if there are two "first" or "last" entries, or multiple conflicting entries with the same numeric value? Restricting the ordering to "after/before X" where X is a principal name sounds more reasonable to me. And maybe we need "classes" of principals for X, such as "all users" ? In terms of code, we should probably reuse [2], and we can wrap it to remove specific ordering options if we agree on my opinion of first, last and numeric values. [1] https://sling.apache.org/documentation/bundles/managing-permissions-jackrabbit-accessmanager.html#add-or-modify-permissions-1 [2] https://github.com/apache/sling-org-apache-sling-jcr-base/blob/66be360910c265473799635fcac0e23895898913/src/main/java/org/apache/sling/jcr/base/util/AccessControlUtil.java#L741 > Specifying order of ACEs through repoinit directives > ---------------------------------------------------- > > Key: SLING-9871 > URL: https://issues.apache.org/jira/browse/SLING-9871 > Project: Sling > Issue Type: Improvement > Components: Repoinit > Reporter: Ashish Chopra > Priority: Major > > As of writing this, repoinit processor (among other things not relevant to > this JIRA) collects {{create path}} statements and {{set ACL}} statements > declared in all the feature-models applicable to feature-aggregate under > consideration. > Upon repository initialization, it applies all the {{create path}} > statements, followed by all the {{set ACL}} statements. However, the order in > which {{set ACL}} statements declared across feature models are applied isn't > defined (currently, it seems to be based on feature-model-name, > alphabetically ascending). > This causes issues at times because we want the order of the ACEs to be > maintained (e.g., "deny"s for everyone at a given path must be the first ACE, > followed by "allow"s for specific, non-system-user principals) > Repoinit should be able to support this requirement. -- This message was sent by Atlassian Jira (v8.3.4#803005)