Hi, In SLING-5848 [1] Oliver has raised the question about restricting access for the "everyone" principal, since we've started introducing service users with very limited access. Currently the "everyone" principal is granted read access on "/" for backwards compatibility reasons. For more details see [2] and [3].
Should we change this and only allow "jcr:read" on a new /content folder for "everyone"? Thanks, Radu [1] - https://issues.apache.org/jira/browse/SLING-5848 [2] - https://github.com/apache/sling/blob/trunk/bundles/jcr/oak-server/src/main/java/org/apache/sling/jcr/oak/server/internal/OakSlingRepositoryManager.java#L191 [3] - https://github.com/apache/sling/blob/trunk/bundles/jcr/oak-server/src/main/java/org/apache/sling/jcr/oak/server/internal/OakSlingRepositoryManagerConfiguration.java#L60
