private List<Privilege> getPrivilegesToFilter(Node node) { if (node instanceof JCRNodeWrapper) { node = ((JCRNodeWrapper) node).getRealNode(); } List<Privilege> privilegeToFilterOut = new ArrayList<>(); // jcr:modifyAccessControl permission when data source is AccessControllable, only on // ExternalNodeImpl // ExtensionNodeImpl acls can be modify if (aclReadOnly && node instanceof ExternalNodeImpl) { privilegeToFilterOut.add(modifyAccessControlPrivilege); } // all write permissions in case of the data source not writable and not extendable if (!writable && node instanceof ExternalNodeImpl && (session.getOverridableProperties() == null || session.getOverridableProperties().size() == 0)) { privilegeToFilterOut.add(writePrivilege); privilegeToFilterOut.addAll(Lists.newArrayList(writePrivilege.getAggregatePrivileges())); } return privilegeToFilterOut; }