the current base implementation of the JackrabbitAccessControlList present in oak performs some cleanup in order to avoid accumulating a lot of redundant access control entries.
in the following sequence of ACE the cleanup however is incomplete as the code breaks after the cleanup:
- grant jcr:write to principalA
- deny jcr:read to principalA
- grant jcr:read to principalA
the expected outcome would be that the deny entry is removed and the new allow merged with the first entry. instead the deny entry is still present after having merged the new entry into the list.