On 23 Jun 2009, at 12:28, Bertrand Delacretaz wrote:
Hi,
On Tue, Jun 23, 2009 at 12:03 PM, Ian Boston<i...@tfd.co.uk> wrote:
On 23 Jun 2009, at 09:42, Felix Meschberger wrote:
... What exact problem do you want to solve with the restriction
on script
access ? Do you have some kind of "x-bit" in mind ? The repository
itself has no support for (and cannot support) this kind of
permission
itself....
Doesn't JCR 2.0 support arbitrary permissions? The spec says
"A privilege represents the ability to perform a particular set of
operations on a node. Each privilege is identified by a JCR name.
JCR defines a set of standard privileges within the Privilege
interface. An implementation may add additional privileges, using an
appropriate implementation specific namespace for their names"
So IIUC we (or rather Jackrabbit) might be able to define a
jackrabbit:execute privilege?
The issue might be space in the compiled bitmap, which is quite full.
And then there is the binding into the Jackrabbit implementation that
doing this would imply.
Although Sling might choose to ignore this, I/we (sakai) are going
to need to do something since all our users have write access to
the repo, and at least 10% of them are Computer Science first year
students just itching to prove their prowess by hacking/defacing an
institutional system :)
Brings back memories ;-)
If we're using a distinct session for script resolution, we might want
to make its credentials configurable, and setup that user to see
scripts only under /libs and /apps. Would that suit your needs?
yes,
certainly would,
We already have a "securityloader" along the same lines as the
"contentloader" so configuration of that would be easy for us.
Ian
-Bertrand
