On Thursday 06 October 2016 10:03:41 Radu Cotescu wrote: > Hi, > > In SLING-5848 [1] Oliver has raised the question about restricting access > for the "everyone" principal, since we've started introducing service users > with very limited access. Currently the "everyone" principal is granted > read access on "/" for backwards compatibility reasons. For more details > see [2] and [3]. > > Should we change this and only allow "jcr:read" on a new /content folder > for "everyone"?
Some additional points: - we should move the configuration for "everyone" from Oak Server to repoinit (it was never implemented completely in Oak Server, so removing and logging a warning should be fine) - besides tests which might be affected, there may be other clients which rely on reading / (we have to find out) - it is best practice to avoid "deny", so it should be removed from sling- scripting (which would allow sling-scripting to read from /content also) Regards, O. > Thanks, > Radu > > [1] - https://issues.apache.org/jira/browse/SLING-5848 > [2] - > https://github.com/apache/sling/blob/trunk/bundles/jcr/oak-server/src/main/j > ava/org/apache/sling/jcr/oak/server/internal/OakSlingRepositoryManager.java# > L191 [3] - > https://github.com/apache/sling/blob/trunk/bundles/jcr/oak-server/src/main/j > ava/org/apache/sling/jcr/oak/server/internal/OakSlingRepositoryManagerConfig > uration.java#L60
