Description
just found out that the verification in AccessControlValidator asserting that no duplicate entries are present, doesn't take the primary type of the ACE node into account which defines if the entry is allowing or denying access.
In otherwords: when manually adding 2 entries though oak API that only differ by the allow/deny the validator will wrongly fail, warning about duplicate entries. Since adding ACEs manually through JCR API is not possible and the access control list implementation filters out duplications, this issue hasn't shown up.
cc stillalex