Hi Jorge The code you are describing relies on an implementation detail and you are right that it only works for administrative sessions. The reason for this is that using a different user to read from the permission store would essentially leak information that may not be accessible to that session.
Also you have to keep in mind that this code only read information for one particular authorization model. If you Oak repository would for instance use more than one model, you would miss the effect the other would have. What you are probably looking for is AccessControlPolicy[] getEffectivePolicies(Set<Principal> principals) this one would show the effective policies for a given set of principal taking the access rights of the editing session into account. so, if a given Session would not be allowed to read the access control setup at a given node or for a given principal, this information will not leak. Hope that helps Angela ________________________________________ From: jorgeeflorez <jorgeeduardoflo...@gmail.com> Sent: Thursday, April 25, 2019 4:39 PM To: oak-dev@jackrabbit.apache.org Subject: Retrieving permissions for user Hello all, I am giving maintenance to an application that uses Jackrabbit and Oak (1.5.14). In that software someone wrote the following code to get all permissions given to an user: List<String> authPaths = new ArrayList<>(); permissionParent = "/jcr:system/rep:permissionStore/default/" + principalName; Node parent = session.getNode(permissionParent); NodeIterator iter = parent.getNodes(); String path; while (iter.hasNext()) { Node current = iter.nextNode(); Property prop = current.getProperty("rep:accessControlledPath"); authPaths.add(prop.getString() ); } this way in the user interface all paths are shown and when one is selected, the privileges assigned can be shown. The problem with this code, is that only works when it is executed by the "admin" user (if I understood well, it is because the restricted access of "/jcr:system/rep:permissionStore" as explained here <https://jackrabbit.apache.org/oak/docs/security/permission/default.html>). I need to display all paths with privileges assigned to an user, and I think this is not possible using the methods described here <https://jackrabbit.apache.org/oak/docs/security/accesscontrol/editing.html>, because they receive a path as argument (maybe I am wrong). Is there a way to achieve this (and that works for admin and all users with proper permissions)? Thanks in advance. Best Regards. Jorge Eduardo Flórez