[ https://issues.apache.org/jira/browse/SLING-2698?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13593438#comment-13593438 ]
angela commented on SLING-2698: ------------------------------- from a security point of view if find the concept rather cumbersome irrespective of my jackrabbit hut. access control should be enforced by the lowest accessible layer. if you push it up to the stack as in this case you will likely end up with any of the following situations: A) you have to grant broader access rights on the lower level and somehow close it in the app (sling) layer -> will introduce security issues if the is an alternative access mechanism (there usually is one). B) you look down the access on the lower level and need some sort of 'administrative' resource access mechanism that will then enforce the extra access restrictions defined in the sling layer. any kind of error is very likely to result in a privilege escalation to admin (lesson no. 1 leaned from SlingRepository#loginAdministrative). kind regards angela > Add a minimal resource access gate > ---------------------------------- > > Key: SLING-2698 > URL: https://issues.apache.org/jira/browse/SLING-2698 > Project: Sling > Issue Type: New Feature > Components: ResourceResolver > Reporter: Mike Müller > Assignee: Mike Müller > Fix For: Resource Resolver 1.1.0 > > Attachments: resource-resolver-wrapper.patch > > > Adding a minmal resource access gate as discussed in [1]. > First step is to define the API interface and a minimal implementation which > allows to define READ access (rest of CRUD can follow later) > [1] http://markmail.org/thread/4ctczoiy533tquyl -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira