Index: src/main/java/org/apache/jackrabbit/core/BatchedItemOperations.java =================================================================== --- src/main/java/org/apache/jackrabbit/core/BatchedItemOperations.java (revision 563404) +++ src/main/java/org/apache/jackrabbit/core/BatchedItemOperations.java (working copy) @@ -560,7 +560,7 @@ throw new ItemNotFoundException(safeGetJCRPath(parentState.getNodeId())); } // make sure current session is granted write access on parent node - if (!accessMgr.isGranted(parentState.getNodeId(), AccessManager.WRITE)) { + if (!accessMgr.isGranted(parentState.getNodeId(), AccessManager.ADD)) { throw new AccessDeniedException(safeGetJCRPath(parentState.getNodeId()) + ": not allowed to add child node"); } Index: src/main/java/org/apache/jackrabbit/core/security/AccessManager.java =================================================================== --- src/main/java/org/apache/jackrabbit/core/security/AccessManager.java (revision 563404) +++ src/main/java/org/apache/jackrabbit/core/security/AccessManager.java (working copy) @@ -40,6 +40,11 @@ int WRITE = 2; /** + * WRITE permission constant + */ + int ADD = 3; + + /** * REMOVE permission constant */ int REMOVE = 4; Index: src/main/java/org/apache/jackrabbit/core/security/SimpleAccessManager.java =================================================================== --- src/main/java/org/apache/jackrabbit/core/security/SimpleAccessManager.java (revision 563404) +++ src/main/java/org/apache/jackrabbit/core/security/SimpleAccessManager.java (working copy) @@ -98,8 +98,9 @@ // system has always all permissions return; } else if (anonymous) { - // anonymous is always denied WRITE & REMOVE permissions + // anonymous is always denied WRITE, ADD & REMOVE permissions if ((permissions & WRITE) == WRITE + || (permissions & ADD) == ADD || (permissions & REMOVE) == REMOVE) { throw new AccessDeniedException(); } @@ -122,6 +123,7 @@ } else if (anonymous) { // anonymous is always denied WRITE & REMOVE premissions if ((permissions & WRITE) == WRITE + || (permissions & ADD) == ADD || (permissions & REMOVE) == REMOVE) { return false; } Index: src/main/java/org/apache/jackrabbit/core/security/SimpleJBossAccessManager.java =================================================================== --- src/main/java/org/apache/jackrabbit/core/security/SimpleJBossAccessManager.java (revision 563404) +++ src/main/java/org/apache/jackrabbit/core/security/SimpleJBossAccessManager.java (working copy) @@ -98,7 +98,7 @@ public boolean isGranted(ItemId id, int permissions) { // system has always all permissions // anonymous has all but WRITE & REMOVE premissions - return system || (anonymous && ((permissions & (WRITE | REMOVE)) == 0)); + return system || (anonymous && ((permissions & (WRITE | ADD | REMOVE)) == 0)); } public boolean canAccess(String workspaceName) { Index: src/main/java/org/apache/jackrabbit/core/SessionImpl.java =================================================================== --- src/main/java/org/apache/jackrabbit/core/SessionImpl.java (revision 563404) +++ src/main/java/org/apache/jackrabbit/core/SessionImpl.java (working copy) @@ -663,7 +663,7 @@ // parent does not exist (i.e. / was specified), throw exception throw new AccessControlException(ADD_NODE_ACTION); } - accessMgr.checkPermission(parentId, AccessManager.WRITE); + accessMgr.checkPermission(parentId, AccessManager.ADD); } catch (AccessDeniedException re) { // otherwise the RepositoryException catch clause will // log a warn message, which is not appropriate in this case.