Hi Betrand,
2018-06-21 15:28 GMT+02:00 Bertrand Delacretaz <bdelacre...@apache.org>: > > > I think we have discussed a few times how to restrict the execution of > certain servlets like this one, as currently any user who can create a > node with the sling/capabilities resource type can get access to that > information. > > But we didn't come to a firm conclusion AFAIR. > > To prevent this I can use a "shadow permissions resource" at a > configurable path, defaulting to > /libs/sling/permissions/capabilities/read > > The CapabilitiesServlet can then require that resource to be present > and readable by the current user, and return a 403 Forbidden status if > not. > this approach of using a shadow permission resource doesn't sound well for me. I think that binding servlets to a resource type always gives anyone with write access to the repo the chance to create a resource with any resourcetype and then get the servlet executed. If we consider this a way which we should protect ourselves against, we should come up with a dedicated design and nothing ad-hoc; because then we have to secure quite some functionality. If we ignore this "attack vector", the chance to apply permissions to such a resource (e.g. using a JCR repo) should provide enough ways to protected access to this functionality. Jörg -- Cheers, Jörg Hoh, http://cqdump.wordpress.com Twitter: @joerghoh