Usually it is not required for a application to check the privileges/permissions of a given session (or set of principals) as this evaluation can be left to the repository.
For rare cases where the application needs to understand if a given session is actually allowed to perform a given action, it is recommend to use Session.hasPermission(String, String) or JackrabbitSession.hasPermission(String, String...)
In order to test permissions that are not reflected in the action constants defined on Session or JackrabbitSession, the default implementation also allows to pass the names of the Oak internal permission.
To evaluate privileges granted for a given editing session AccessControlManager.hasPrivileges(String, Privilege[]), AccessControlManager.getPrivileges(String) can be used. The JackrabbitAccessControlManager defines variants of both methods that in addition take a set of Principal. If the editing session as sufficient permissions these methods can be used to evaluate/obtain privileges for a different set of principals than associated with the editing session.
Since Oak 1.42.0 JackrabbitAccessControlManager defines JackrabbitAccessControlManager.getPrivilegeCollection(String) and JackrabbitAccessControlManager.getPrivilegeCollection(String, Set) which allows for efficient evaluation if a given set of privileges are granted at a given path. It allows to avoid repeated calls to hasPrivileges for the same path or manual resolution of privilege aggregation (see OAK-9494 for details).
The subtle differences between the permission-testing Session and the evaluation of privileges on AccessControlManager are listed below.
Where
See section Permissions for a comprehensive list and the mapping from actions to permissions.
Where
For testing purpose the Jackrabbit extension further allows to verify the privileges granted to a given combination of principals, which may or may not reflect the actual principal-set assigned to a given Subject. These calls (see below) however requires the ability to read access control content on the target path.