Hi Toby, based on your suggestion, I re-ordered the aces. Here is the new
order.
{
"everyone": {
"principal": "everyone",
"denied": [
"jcr:read"
],
"order": 0
},
"Managers": {
"principal": "Managers",
"granted": [
"jcr:read"
],
"denied": [
"jcr:removeNode",
"jcr:modifyAccessControl",
"jcr:versionManagement",
"jcr:nodeTypeManagement",
"jcr:modifyProperties",
"jcr:addChildNodes"
],
"order": 1
}
}
And you are correct. Now "test" user can see the "child" folder. I guess
where I got stumped was that when "Managers" is the first ace and if I am
allowing "jcr:read" for that group, I expected it to work for all the users
of this group. But I didn't realize that "everyone" is also checked. My
bad.
Thanks a lot for your help. Really appreciate it.
--
View this message in context:
http://jackrabbit.510166.n4.nabble.com/Group-membership-is-not-honoured-tp4660059p4660068.html
Sent from the Jackrabbit - Users mailing list archive at Nabble.com.
