protected DocumentRef createDocumentModelWithSamplePermissions(String name) {
    DocumentModel root = session.getRootDocument();
    DocumentModel doc = new DocumentModelImpl(root.getPathAsString(), name, "Folder");
    doc = session.createDocument(doc);

    ACP acp = doc.getACP();
    ACL localACL = acp.getOrCreateACL();

    localACL.add(new ACE("joe_reader", READ, true));

    localACL.add(new ACE("joe_contributor", READ, true));
    localACL.add(new ACE("joe_contributor", WRITE_PROPERTIES, true));
    localACL.add(new ACE("joe_contributor", ADD_CHILDREN, true));

    localACL.add(new ACE("joe_localmanager", READ, true));
    localACL.add(new ACE("joe_localmanager", WRITE, true));
    localACL.add(new ACE("joe_localmanager", WRITE_SECURITY, true));

    acp.addACL(localACL);
    doc.setACP(acp, true);

    // add the permission to remove children on the root
    ACP rootACP = root.getACP();
    ACL rootACL = rootACP.getOrCreateACL();
    rootACL.add(new ACE("joe_localmanager", REMOVE_CHILDREN, true));
    rootACP.addACL(rootACL);
    root.setACP(rootACP, true);

    // make it visible for others
    session.save();
    return doc.getRef();
  }
Пример #2
0
  @Test
  public void shouldDenyAccessOnUnsupportedACL() throws Exception {
    assumeTrue(session.isNegativeAclAllowed());

    buildAndIndexTree();
    DocumentModelList docs = ess.query(new NxQueryBuilder(session).nxql("select * from Document"));
    Assert.assertEquals(10, docs.totalSize());

    // check for user with no rights
    CoreSession restrictedSession = getRestrictedSession("toto");
    try {
      docs = ess.query(new NxQueryBuilder(restrictedSession).nxql("select * from Document"));
      Assert.assertEquals(0, docs.totalSize());

      // add READ rights and check that user now has access
      DocumentRef ref = new PathRef("/folder0/folder1/folder2");
      ACP acp = new ACPImpl();
      ACL acl = ACPImpl.newACL(ACL.LOCAL_ACL);
      acl.add(new ACE("toto", SecurityConstants.READ, true));
      acp.addACL(acl);
      session.setACP(ref, acp, true);

      TransactionHelper.commitOrRollbackTransaction();
      waitForCompletion();

      startTransaction();
      docs =
          ess.query(
              new NxQueryBuilder(restrictedSession)
                  .nxql("select * from Document order by dc:title"));
      Assert.assertEquals(8, docs.totalSize());

      // Add an unsupported negative ACL
      ref = new PathRef("/folder0/folder1/folder2/folder3/folder4/folder5");
      acp = new ACPImpl();
      acl = ACPImpl.newACL(ACL.LOCAL_ACL);
      acl.add(new ACE("bob", SecurityConstants.EVERYTHING, false));

      acp.addACL(acl);
      session.setACP(ref, acp, true);
      session.save();
      TransactionHelper.commitOrRollbackTransaction();
      waitForCompletion();

      startTransaction();
      docs =
          ess.query(
              new NxQueryBuilder(restrictedSession)
                  .nxql("select * from Document order by dc:title"));
      // can view folder2, folder3 and folder4
      Assert.assertEquals(3, docs.totalSize());
    } finally {
      restrictedSession.close();
    }
  }
Пример #3
0
  @Test
  public void shouldStoreOnlyEffectiveACEs() throws Exception {
    buildAndIndexTree();

    DocumentModelList docs = ess.query(new NxQueryBuilder(session).nxql("select * from Document"));
    Assert.assertEquals(10, docs.totalSize());

    CoreSession restrictedSession = getRestrictedSession("toto");
    try {
      docs = ess.query(new NxQueryBuilder(restrictedSession).nxql("select * from Document"));
      Assert.assertEquals(0, docs.totalSize());

      DocumentRef ref = new PathRef("/folder0");
      ACP acp = new ACPImpl();
      ACL acl = ACPImpl.newACL(ACL.LOCAL_ACL);
      acl.add(ACE.builder("toto", SecurityConstants.READ).build());
      acp.addACL(acl);
      session.setACP(ref, acp, true);

      TransactionHelper.commitOrRollbackTransaction();
      waitForCompletion();

      startTransaction();
      docs =
          ess.query(
              new NxQueryBuilder(restrictedSession)
                  .nxql("select * from Document order by dc:title"));
      Assert.assertEquals(10, docs.totalSize());

      acp = new ACPImpl();
      acl = ACPImpl.newACL(ACL.LOCAL_ACL);
      // make the ACE archived
      Date now = new Date();
      Calendar begin = new GregorianCalendar();
      begin.setTimeInMillis(now.toInstant().minus(10, ChronoUnit.DAYS).toEpochMilli());
      Calendar end = new GregorianCalendar();
      end.setTimeInMillis(now.toInstant().minus(2, ChronoUnit.DAYS).toEpochMilli());
      acl.add(ACE.builder("toto", SecurityConstants.READ).begin(begin).end(end).build());
      acp.addACL(acl);
      session.setACP(ref, acp, true);

      TransactionHelper.commitOrRollbackTransaction();
      waitForCompletion();

      startTransaction();
      docs =
          ess.query(
              new NxQueryBuilder(restrictedSession)
                  .nxql("select * from Document order by dc:title"));
      Assert.assertEquals(0, docs.totalSize());
    } finally {
      restrictedSession.close();
    }
  }
Пример #4
0
 @Override
 public ACP getMergedACP(Document doc) {
   Document base = doc.isVersion() ? doc.getSourceDocument() : doc;
   if (base == null) {
     return null;
   }
   ACP acp = getACP(base);
   if (doc.getParent() == null) {
     return acp;
   }
   // get inherited acls only if no blocking inheritance ACE exists in the top level acp.
   ACL acl = null;
   if (acp == null
       || acp.getAccess(SecurityConstants.EVERYONE, SecurityConstants.EVERYTHING) != Access.DENY) {
     acl = getInheritedACLs(doc);
   }
   if (acp == null) {
     if (acl == null) {
       return null;
     }
     acp = new ACPImpl();
   }
   if (acl != null) {
     acp.addACL(acl);
   }
   return acp;
 }
  @Test
  public void testReadAclAfterCopy() {
    DocumentModel folder1 = new DocumentModelImpl("/", "folder1", "Folder");
    folder1 = session.createDocument(folder1);
    DocumentModel folder2 = new DocumentModelImpl("/", "folder2", "Folder");
    folder2 = session.createDocument(folder2);
    DocumentModel doc = new DocumentModelImpl("/folder1", "doc", "File");
    doc = session.createDocument(doc);

    // set ACL on folder2
    ACL acl = new ACLImpl();
    acl.add(new ACE("Everyone", "Read", true));
    ACP acp = new ACPImpl();
    acp.addACL(acl);
    folder2.setACP(acp, true);
    session.save();

    // doc under folder1 cannot be read by joe
    try (CoreSession joeSession = openSessionAs("joe")) {
      DocumentModelList list = joeSession.query("SELECT * FROM File");
      assertEquals(0, list.size());
    }

    // copy doc under folder2
    session.copy(doc.getRef(), folder2.getRef(), "doccopy");
    session.save();

    // check doc copy now readable by joe
    try (CoreSession joeSession = openSessionAs("joe")) {
      DocumentModelList list = joeSession.query("SELECT * FROM File");
      assertEquals(1, list.size());
      assertEquals("doccopy", list.get(0).getName());
    }
  }
  @Test
  public void testReadAclAfterSetACP() {
    DocumentModel folder = new DocumentModelImpl("/", "folder", "Folder");
    folder = session.createDocument(folder);
    DocumentModel doc = new DocumentModelImpl("/folder", "doc", "File");
    doc = session.createDocument(doc);
    session.save();

    // nothing can be seen by joe
    try (CoreSession joeSession = openSessionAs("joe")) {
      DocumentModelList list = joeSession.query("SELECT * FROM Folder");
      assertEquals(0, list.size());
      list = joeSession.query("SELECT * FROM File");
      assertEquals(0, list.size());
    }

    // set ACL on folder
    ACL acl = new ACLImpl();
    acl.add(new ACE("Everyone", "Read", true));
    ACP acp = new ACPImpl();
    acp.addACL(acl);
    folder.setACP(acp, true);
    session.save();

    // now joe sees things
    try (CoreSession joeSession = openSessionAs("joe")) {
      DocumentModelList list = joeSession.query("SELECT * FROM Folder");
      assertEquals(1, list.size());
      assertEquals(folder.getId(), list.get(0).getId());
      list = joeSession.query("SELECT * FROM File");
      assertEquals(1, list.size());
      assertEquals(doc.getId(), list.get(0).getId());
    }
  }
  @Test
  public void testACLEscaping() {
    // temporary set an Everything privileges on the root for anonymous
    // so that we can create a folder
    setPermissionToAnonymous(EVERYTHING);

    DocumentModel root = session.getRootDocument();

    DocumentModel folder = new DocumentModelImpl(root.getPathAsString(), "folder1", "Folder");
    folder = session.createDocument(folder);

    ACP acp = new ACPImpl();
    ACL acl = new ACLImpl();
    acl.add(new ACE("xyz", "Read", true));
    acl.add(new ACE("abc@def<&>/ ", "Read", true));
    acl.add(new ACE("caf\u00e9", "Read", true));
    acl.add(new ACE("o'hara", "Read", true)); // name to quote
    acl.add(new ACE("A_x1234_", "Read", true)); // name to quote
    acp.addACL(acl);
    folder.setACP(acp, true);

    // check what we read
    acp = folder.getACP();
    assertNotNull(acp);
    acl = acp.getACL(ACL.LOCAL_ACL);
    assertEquals("xyz", acl.get(0).getUsername());
    assertEquals("abc@def<&>/ ", acl.get(1).getUsername());
    assertEquals("caf\u00e9", acl.get(2).getUsername());
    assertEquals("o'hara", acl.get(3).getUsername());
    assertEquals("A_x1234_", acl.get(4).getUsername());
  }
Пример #8
0
  // security on versions, see TestLocalAPIWithCustomVersioning
  @Test
  public void testVersionSecurity() throws Exception {
    DocumentModel folder = new DocumentModelImpl("/", "folder", "Folder");
    folder = session.createDocument(folder);
    ACP acp = new ACPImpl();
    ACE ace = new ACE("princ1", "perm1", true);
    ACL acl = new ACLImpl("acl1", false);
    acl.add(ace);
    acp.addACL(acl);
    session.setACP(folder.getRef(), acp, true);
    DocumentModel file = new DocumentModelImpl("/folder", "file", "File");
    file = session.createDocument(file);
    // set security
    acp = new ACPImpl();
    ace = new ACE("princ2", "perm2", true);
    acl = new ACLImpl("acl2", false);
    acl.add(ace);
    acp.addACL(acl);
    session.setACP(file.getRef(), acp, true);
    session.save();

    DocumentModel proxy = session.publishDocument(file, folder);
    DocumentModel version = session.getLastDocumentVersion(file.getRef());
    session.save();

    // check security on version
    acp = session.getACP(version.getRef());
    ACL[] acls = acp.getACLs();
    assertEquals(2, acls.length);
    acl = acls[0];
    assertEquals(1, acl.size());
    assertEquals("princ2", acl.get(0).getUsername());
    acl = acls[1];
    assertEquals(1 + 3, acl.size()); // 1 + 3 root defaults
    assertEquals("princ1", acl.get(0).getUsername());

    // remove live document (there's a proxy so the version stays)
    session.removeDocument(file.getRef());
    session.save();
    // recheck security on version (works because we're administrator)
    acp = session.getACP(version.getRef());
    assertNull(acp);
    // check proxy still accessible (in another session)
    try (CoreSession session2 = openSessionAs(SecurityConstants.ADMINISTRATOR)) {
      session2.getDocument(proxy.getRef());
    }
  }
  @Test
  public void testGetParentDocuments() {

    setPermissionToAnonymous(EVERYTHING);

    DocumentModel root = session.getRootDocument();

    String name = "Workspaces#1";
    DocumentModel workspaces = new DocumentModelImpl(root.getPathAsString(), name, "Workspace");
    session.createDocument(workspaces);
    String name2 = "repositoryWorkspace2#";
    DocumentModel repositoryWorkspace =
        new DocumentModelImpl(workspaces.getPathAsString(), name2, "Workspace");
    repositoryWorkspace = session.createDocument(repositoryWorkspace);

    String name3 = "ws#3";
    DocumentModel ws1 =
        new DocumentModelImpl(repositoryWorkspace.getPathAsString(), name3, "Workspace");
    ws1 = session.createDocument(ws1);
    String name4 = "ws#4";
    DocumentModel ws2 = new DocumentModelImpl(ws1.getPathAsString(), name4, "Workspace");
    session.createDocument(ws2);

    if (session.isNegativeAclAllowed()) { // always false for Mem
      ACP acp = new ACPImpl();
      ACE denyRead = new ACE("test", READ, false);
      ACL acl = new ACLImpl();
      acl.setACEs(new ACE[] {denyRead});
      acp.addACL(acl);
      // TODO this produces a stack trace
      repositoryWorkspace.setACP(acp, true);
      ws1.setACP(acp, true);
    }

    session.save();

    List<DocumentModel> ws2ParentsUnderAdministrator = session.getParentDocuments(ws2.getRef());
    assertTrue(
        "list parents for"
            + ws2.getName()
            + "under "
            + session.getPrincipal().getName()
            + " is not empty:",
        !ws2ParentsUnderAdministrator.isEmpty());

    CoreSession testSession = openSessionAs("test");
    List<DocumentModel> ws2ParentsUnderTest = testSession.getParentDocuments(ws2.getRef());
    assertTrue(
        "list parents for"
            + ws2.getName()
            + "under "
            + testSession.getPrincipal().getName()
            + " is empty:",
        ws2ParentsUnderTest.isEmpty());
    closeSession(testSession);
  }
Пример #10
0
 @Test
 public void testAllowVersionWriteACL() {
   DocumentModel doc = session.createDocumentModel("/", "doc", "File");
   doc = session.createDocument(doc);
   DocumentRef verRef = session.checkIn(doc.getRef(), null, null);
   DocumentModel ver = session.getDocument(verRef);
   ACL acl = new ACLImpl("acl1", false);
   ACE ace = new ACE("princ1", "perm1", true);
   acl.add(ace);
   ACP acp = new ACPImpl();
   acp.addACL(acl);
   // check that ACP can be set
   ver.setACP(acp, true);
 }
  @Test
  public void testReadAclSecurityUpdate() {
    // check that aclOptimization update the user aclr cache
    // NXP-13109
    DocumentModel root = session.getRootDocument();
    // Create a doc and set a new ACLR on it
    DocumentModel doc = new DocumentModelImpl(root.getPathAsString(), "foo", "Folder");
    doc = session.createDocument(doc);
    ACP acp = doc.getACP();
    assertNotNull(acp);
    acp = new ACPImpl();
    ACL acl = new ACLImpl();
    acl.add(new ACE("Everyone", "Read", true));
    acp.addACL(acl);
    doc.setACP(acp, true);
    session.save();

    CoreSession joeSession = openSessionAs("joe");
    try {
      DocumentModelList list;
      list = joeSession.query("SELECT * FROM Folder");
      assertEquals(1, list.size());
      // Remove the document, so the ACLR created is not anymore assigned
      session.removeDocument(doc.getRef());
      session.save();
      list = joeSession.query("SELECT * FROM Folder");
      assertEquals(0, list.size());
    } finally {
      closeSession(joeSession);
    }

    CoreSession bobSession = openSessionAs("bob");
    try {
      DocumentModelList list;
      // Perform a query to init the ACLR cache
      list = bobSession.query("SELECT * FROM Folder");
      assertEquals(0, list.size());
      // Create a new doc with the same ACLR
      doc = new DocumentModelImpl(root.getPathAsString(), "bar", "Folder");
      doc = session.createDocument(doc);
      doc.setACP(acp, true);
      session.save();
      // Check that the ACLR has been added to the user cache
      list = bobSession.query("SELECT * FROM Folder");
      assertEquals(1, list.size());
    } finally {
      closeSession(bobSession);
    }
  }
Пример #12
0
 // unit tested
 protected static ACP aclRowsToACP(ACLRow[] acls) {
   ACP acp = new ACPImpl();
   ACL acl = null;
   String name = null;
   for (ACLRow aclrow : acls) {
     if (!aclrow.name.equals(name)) {
       if (acl != null) {
         acp.addACL(acl);
       }
       name = aclrow.name;
       acl = new ACLImpl(name);
     }
     // XXX should prefix user/group
     String user = aclrow.user;
     if (user == null) {
       user = aclrow.group;
     }
     acl.add(new ACE(user, aclrow.permission, aclrow.grant));
   }
   if (acl != null) {
     acp.addACL(acl);
   }
   return acp;
 }
  @Test
  public void testReadAclAfterCreate() {
    DocumentModel folder = new DocumentModelImpl("/", "folder", "Folder");
    folder = session.createDocument(folder);
    session.save();

    // folder can be seen by a member
    UserPrincipal joeMember =
        new UserPrincipal("joe", Arrays.asList("Everyone", "members"), false, false);
    try (CoreSession joeSession = openSessionAs(joeMember)) {
      DocumentModelList list = joeSession.query("SELECT * FROM Folder");
      assertEquals(1, list.size());
      assertEquals(folder.getId(), list.get(0).getId());
    }

    // but not as a non-member
    try (CoreSession joeSession = openSessionAs("joe")) {
      DocumentModelList list = joeSession.query("SELECT * FROM Folder");
      assertEquals(0, list.size());
    }

    // set ACL on folder
    ACL acl = new ACLImpl();
    acl.add(new ACE("Everyone", "Read", true));
    ACP acp = new ACPImpl();
    acp.addACL(acl);
    folder.setACP(acp, true);
    session.save();

    // the folder can be seen by joe
    try (CoreSession joeSession = openSessionAs("joe")) {
      DocumentModelList list = joeSession.query("SELECT * FROM Folder");
      assertEquals(1, list.size());
      assertEquals(folder.getId(), list.get(0).getId());
    }

    // create a doc under the folder
    DocumentModel doc = new DocumentModelImpl("/folder", "doc", "File");
    doc = session.createDocument(doc);
    session.save();

    // the doc can be seen by joe
    try (CoreSession joeSession = openSessionAs("joe")) {
      DocumentModelList list = joeSession.query("SELECT * FROM File");
      assertEquals(1, list.size());
      assertEquals(doc.getId(), list.get(0).getId());
    }
  }
Пример #14
0
  @Test
  public void shouldFilterTreeOnSecurity() throws Exception {

    buildAndIndexTree();

    DocumentModelList docs = ess.query(new NxQueryBuilder(session).nxql("select * from Document"));
    Assert.assertEquals(10, docs.totalSize());

    // check for user with no rights
    startTransaction();
    CoreSession restrictedSession = getRestrictedSession("toto");
    try {
      docs = ess.query(new NxQueryBuilder(restrictedSession).nxql("select * from Document"));
      Assert.assertEquals(0, docs.totalSize());

      // add READ rights and check that user now has access

      DocumentRef ref = new PathRef("/folder0/folder1/folder2");
      ACP acp = new ACPImpl();
      ACL acl = ACPImpl.newACL(ACL.LOCAL_ACL);
      acl.add(new ACE("toto", SecurityConstants.READ, true));
      acp.addACL(acl);
      session.setACP(ref, acp, true);

      TransactionHelper.commitOrRollbackTransaction();
      waitForCompletion();
      if (syncMode) {
        // in sync we split recursive update into 2 commands:
        // 1 sync non recurse + 1 async recursive
        assertNumberOfCommandProcessed(9);
      } else {
        assertNumberOfCommandProcessed(8);
      }

      startTransaction();
      docs = ess.query(new NxQueryBuilder(restrictedSession).nxql("select * from Document"));
      Assert.assertEquals(8, docs.totalSize());

      // block rights and check that blocking is taken into account

      ref = new PathRef("/folder0/folder1/folder2/folder3/folder4/folder5");
      acp = new ACPImpl();
      acl = ACPImpl.newACL(ACL.LOCAL_ACL);

      acl.add(new ACE(SecurityConstants.EVERYONE, SecurityConstants.EVERYTHING, false));
      acl.add(new ACE("Administrator", SecurityConstants.EVERYTHING, true));
      acp.addACL(acl);

      session.setACP(ref, acp, true);

      session.save();
      TransactionHelper.commitOrRollbackTransaction();
      waitForCompletion();
      if (syncMode) {
        assertNumberOfCommandProcessed(6);
      } else {
        assertNumberOfCommandProcessed(5);
      }
      startTransaction();
      docs = ess.query(new NxQueryBuilder(restrictedSession).nxql("select * from Document"));
      Assert.assertEquals(3, docs.totalSize());
    } finally {
      restrictedSession.close();
    }
  }
  @Test
  public void testReadAclSecurity() {
    // Check that all permissions that contain Browse enable to list a
    // document using aclOptimization
    SecurityService securityService = NXCore.getSecurityService();
    String[] browsePermissions = securityService.getPermissionsToCheck(BROWSE);
    // Check for test permission contribution
    assertTrue(Arrays.asList(browsePermissions).contains("ViewTest"));
    List<String> docNames = new ArrayList<String>(browsePermissions.length);
    DocumentModel root = session.getRootDocument();
    for (String permission : browsePermissions) {
      // Create a folder with only the browse permission
      String name = "joe-has-" + permission + "-permission";
      docNames.add(name);
      DocumentModel folder = new DocumentModelImpl(root.getPathAsString(), name, "Folder");
      folder = session.createDocument(folder);
      ACP acp = folder.getACP();
      assertNotNull(acp); // the acp inherited from root is returned
      acp = new ACPImpl();
      ACL acl = new ACLImpl();
      acl.add(new ACE("joe", permission, true));
      acp.addACL(acl);
      folder.setACP(acp, true);
    }
    session.save();
    CoreSession joeSession = openSessionAs("joe");
    try {
      DocumentModelList list;
      list = joeSession.query("SELECT * FROM Folder");
      List<String> names = new ArrayList<String>();
      for (DocumentModel doc : list) {
        names.add(doc.getName());
      }
      assertEquals(
          "Expecting " + docNames + " got " + names, browsePermissions.length, list.size());

      list = joeSession.query("SELECT * FROM Folder WHERE ecm:isProxy = 0");
      names.clear();
      for (DocumentModel doc : list) {
        names.add(doc.getName());
      }
      assertEquals(
          "Expecting " + docNames + " got " + names, browsePermissions.length, list.size());

      // Add a new folder to update the read acls
      DocumentModel folder = new DocumentModelImpl(root.getPathAsString(), "new-folder", "Folder");
      folder = session.createDocument(folder);
      ACP acp = folder.getACP();
      assertNotNull(acp); // the acp inherited from root is returned
      acp = new ACPImpl();
      ACL acl = new ACLImpl();
      acl.add(new ACE("joe", browsePermissions[0], true));
      acl.add(new ACE("bob", browsePermissions[0], true));
      acp.addACL(acl);
      folder.setACP(acp, true);
      session.save();

      list = joeSession.query("SELECT * FROM Folder");
      assertEquals(browsePermissions.length + 1, list.size());

    } finally {
      closeSession(joeSession);
    }
  }
  @Test
  public void testSecurity() {
    // temporary set an Everything privileges on the root for anonymous
    // so that we can create a folder
    setPermissionToAnonymous(EVERYTHING);

    CoreSession anonSession = openSessionAs("anonymous");
    try {
      DocumentModel root = anonSession.getRootDocument();

      DocumentModel folder = new DocumentModelImpl(root.getPathAsString(), "folder#1", "Folder");
      folder = anonSession.createDocument(folder);

      ACP acp = folder.getACP();
      assertNotNull(acp); // the acp inherited from root is returned

      acp = new ACPImpl();

      ACL acl = new ACLImpl();
      acl.add(new ACE("a", "Read", true));
      acl.add(new ACE("b", "Write", true));
      acp.addACL(acl);

      folder.setACP(acp, true);

      acp = folder.getACP();

      assertNotNull(acp);

      assertEquals("a", acp.getACL(ACL.LOCAL_ACL).get(0).getUsername());
      assertEquals("b", acp.getACL(ACL.LOCAL_ACL).get(1).getUsername());

      assertSame(GRANT, acp.getAccess("a", "Read"));
      assertSame(UNKNOWN, acp.getAccess("a", "Write"));
      assertSame(GRANT, acp.getAccess("b", "Write"));
      assertSame(UNKNOWN, acp.getAccess("b", "Read"));
      assertSame(UNKNOWN, acp.getAccess("c", "Read"));
      assertSame(UNKNOWN, acp.getAccess("c", "Write"));

      // insert a deny Write ACE before the GRANT

      acp.getACL(ACL.LOCAL_ACL).add(0, new ACE("b", "Write", false));
      // store changes
      folder.setACP(acp, true);
      // refetch ac
      acp = folder.getACP();
      // check perms now
      assertSame(GRANT, acp.getAccess("a", "Read"));
      assertSame(UNKNOWN, acp.getAccess("a", "Write"));
      assertSame(DENY, acp.getAccess("b", "Write"));
      assertSame(UNKNOWN, acp.getAccess("b", "Read"));
      assertSame(UNKNOWN, acp.getAccess("c", "Read"));
      assertSame(UNKNOWN, acp.getAccess("c", "Write"));

      // create a child document and grant on it the write for b

      // remove anonymous Everything privileges on the root
      // so that it not influence test results
      removePermissionToAnonymous();
      anonSession.save(); // process invalidations

      try {
        DocumentModel folder2 =
            new DocumentModelImpl(folder.getPathAsString(), "folder#2", "Folder");
        folder2 = anonSession.createDocument(folder2);
        fail("privilege is granted but should not be");
      } catch (DocumentSecurityException e) {
        // ok
      }

      setPermissionToAnonymous(EVERYTHING);
      anonSession.save(); // process invalidations

      root = anonSession.getRootDocument();

      // and try again - this time it should work
      DocumentModel folder2 = new DocumentModelImpl(folder.getPathAsString(), "folder#2", "Folder");
      folder2 = anonSession.createDocument(folder2);

      ACP acp2 = new ACPImpl();
      acl = new ACLImpl();
      acl.add(new ACE("b", "Write", true));
      acp2.addACL(acl);

      folder2.setACP(acp2, true);
      acp2 = folder2.getACP();

      assertSame(GRANT, acp2.getAccess("a", "Read"));
      assertSame(UNKNOWN, acp2.getAccess("a", "Write"));
      assertSame(GRANT, acp2.getAccess("b", "Write"));
      assertSame(UNKNOWN, acp2.getAccess("b", "Read"));
      assertSame(UNKNOWN, acp2.getAccess("c", "Read"));
      assertSame(UNKNOWN, acp2.getAccess("c", "Write"));

      // remove anonymous Everything privileges on the root
      // so that it not influence test results
      removePermissionToAnonymous();
      anonSession.save(); // process invalidations

      setPermissionToEveryone(WRITE, REMOVE, ADD_CHILDREN, REMOVE_CHILDREN, READ);
      root = anonSession.getRootDocument();

      DocumentModel folder3 = new DocumentModelImpl(folder.getPathAsString(), "folder#3", "Folder");
      folder3 = anonSession.createDocument(folder3);

      anonSession.removeDocument(folder3.getRef());

      removePermissionToEveryone();
      setPermissionToEveryone(REMOVE);
      anonSession.save(); // process invalidations

      try {
        folder3 = new DocumentModelImpl(folder.getPathAsString(), "folder#3", "Folder");
        folder3 = anonSession.createDocument(folder3);
        fail();
      } catch (Exception e) {

      }
    } finally {
      closeSession(anonSession);
    }
  }