[
https://issues.apache.org/jira/browse/SLING-5848?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15549022#comment-15549022
]
Radu Cotescu commented on SLING-5848:
-------------------------------------
You're right, this principal's ACLs should be more restrictive, so I guess
{{deny jcr:all on /}} makes sense. What do you mean though by:
bq. We are granting read on / to everyone in Oak Server (configurable)
Shouldn't we aim for having all the ACLs defined in one place?
> Define service user and ACLs for Scripting
> ------------------------------------------
>
> Key: SLING-5848
> URL: https://issues.apache.org/jira/browse/SLING-5848
> Project: Sling
> Issue Type: Task
> Components: Launchpad, Scripting
> Reporter: Oliver Lietz
> Assignee: Oliver Lietz
> Fix For: Launchpad Builder 9
>
>
> Scripting implementations require a (service) ResourceResolver with very
> limited read rights to read scripts.
> Reading can be limited to these paths:
> * {{/apps}}
> * {{/libs}}
> * -{{/etc}}- (?)
> Name for service user: {{scripting}} or {{sling-scripting}} or
> {{sling.scripting}} (?)
> *repoinit:*
> {noformat}
> create path /apps
> create path /libs
> create service user sling-scripting
> set ACL for sling-scripting
> allow jcr:read on /apps
> allow jcr:read on /libs
> end
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
