Node ordering is not preserved when using rep:glob ACLs | AEM 6.0-6.2, Oak 1.x


When you grant a user (or group) access to an ordered JCR parent node but not to the child nodes, then when the user logs in who has that access the child node ordering under that node is not preserved.
Here's an example demonstrating the issue: 

  1. Create a sling:OrderedFolder folder called "mysites".

  2. Create seven pages in the above folder called "one", "two", ... , "seven".

  3. Create two new groups -- testGroup and testGlobalGroup.

  4. Create a "testUser" account and add it as member of the two groups in step 3.

  5. Add the following permissions for testGlobalGroup.

     "read" for "/"
              "read" for "/content/mysites" with glob for "jcr:primaryType"
              "read" for "/content/mysites" with glob for "" 
  6. Add the following permissions for the testGroup:

    deny read access for the page "two", "four" and "six" 
  7. Log in as "testUser" and verify the order of the pages within the "mysites" folder.


This is due to a bug in Oak JCR repository where the rep:glob ACLs get applied to hidden properties -


This is fixed in AEM6.3 and later versions. 

However, you can work around this bug in older versions by doing the following:

  1. Go to http://host:port/crx/de/index.jsp and log in as admin.

  2. Browse to the parent node.

  3. Click on the "Access Control" tab on the bottom right panel.

  4. Create the following Access Control Entry by clicking the green plus icon in the 
    Allow, jcr:read, rep:glob=/:childOrder.

Below is a screenshot of what your ACL might look like after this: