@Test public void shouldDenyAccessOnUnsupportedACL() throws Exception { assumeTrue(session.isNegativeAclAllowed()); buildAndIndexTree(); DocumentModelList docs = ess.query(new NxQueryBuilder(session).nxql("select * from Document")); Assert.assertEquals(10, docs.totalSize()); // check for user with no rights CoreSession restrictedSession = getRestrictedSession("toto"); try { docs = ess.query(new NxQueryBuilder(restrictedSession).nxql("select * from Document")); Assert.assertEquals(0, docs.totalSize()); // add READ rights and check that user now has access DocumentRef ref = new PathRef("/folder0/folder1/folder2"); ACP acp = new ACPImpl(); ACL acl = ACPImpl.newACL(ACL.LOCAL_ACL); acl.add(new ACE("toto", SecurityConstants.READ, true)); acp.addACL(acl); session.setACP(ref, acp, true); TransactionHelper.commitOrRollbackTransaction(); waitForCompletion(); startTransaction(); docs = ess.query( new NxQueryBuilder(restrictedSession) .nxql("select * from Document order by dc:title")); Assert.assertEquals(8, docs.totalSize()); // Add an unsupported negative ACL ref = new PathRef("/folder0/folder1/folder2/folder3/folder4/folder5"); acp = new ACPImpl(); acl = ACPImpl.newACL(ACL.LOCAL_ACL); acl.add(new ACE("bob", SecurityConstants.EVERYTHING, false)); acp.addACL(acl); session.setACP(ref, acp, true); session.save(); TransactionHelper.commitOrRollbackTransaction(); waitForCompletion(); startTransaction(); docs = ess.query( new NxQueryBuilder(restrictedSession) .nxql("select * from Document order by dc:title")); // can view folder2, folder3 and folder4 Assert.assertEquals(3, docs.totalSize()); } finally { restrictedSession.close(); } }