Sling initial content loading - how to set access permissions?

Question

I have a bundle that was generated by the Maven sling-initial-content archetype, that means the content is imported into the repository when the bundle gets installed. I want anonymous users to be able to add child nodes to a specific node and I want to set these permissions automatically on bundle installation. I tried the following (stored as a JSON file in the content directory), but it generates an error:

"Cannot load initial content for bundle com.example.acltest : Unable to perform operation. Node is protected."

{
    "jcr:primaryType": "nt:unstructured",   
    "jcr:mixinTypes": ["rep:AccessControllable"],
    "rep:policy": {
        "jcr:primaryType": "rep:ACL",
        "jcr:mixinTypes": ["sling:HierarchyNode"],
        "allow": {
            "jcr:primaryType": "rep:GrantACE",
            "jcr:mixinTypes": ["sling:HierarchyNode"],
            "rep:principalName": "anonymous",
            "rep:privileges": ["jcr:addChildNodes"]
        }
    }
}

What's wrong with it? Honestly, I don't even know what "The node is protected" is supposed to mean.

Answer 1

I think Sling's content loader module cannot handle those nodes, it would need special handling for them, to convert them into the corresponding JCR calls that set ACLs.

Jackrabbit's filevault module does implement this using fake rep:ACL nodetypes that are interpreted when loading such content files, IIUC. Using filevault might be an option if you really need those ACLs in the initial content files.

The alternative in Sling is to use the bundle's Activator, or an OSGi component provided by that bundle, to set the ACLs as desired (only once, if your users are allowed to change them). I think the initial content will be installed before the Activator or OSGi components are activated, but you'll need to verify that.