Thanks a lot for your hints and the small discussion. In a first step I will propably go on with my small project without the directory structure for my scripts I had in mind. :-) Thanks again.
Regards, Oliver 2009/7/30 Alexander Klimetschek <aklim...@day.com> > On Thu, Jul 30, 2009 at 3:05 PM, Ian Boston<i...@tfd.co.uk> wrote: > > I might be missing the point, but, > > I think this is a generic problem not just limited to this area, if I can > > create a node and set sling:resourceType=something/nasty, *and* upload an > > arbitrary script to somewhere that is resoled to by "something/nasty" , > then > > I can do the same in 2 steps ? > > > > IIRC, there is some work in progress to limit how scripts are loaded, but > it > > may not extend as far as protecting the location. > > You are right, I forgot about that issue. So basically one has to make > sure anonymous or "public" users (ie. through self-registration) > cannot set resource types (which would require an ACL on the > sling:resourceType/sling:superResourceType properties, which isn't > possible with JCR 1.0 or 2.0) or simply has only write-access to > locations that are not part of the script resolution search path. > > > also... how does a script resolve *outside* /apps ? > > You can use an absolute path... at least in Java servlets with the > sling.servlet.paths SCR property. Not sure if this applies to > sling:resourceType as well. > > >> :name and :nameHint are not enough? > > > > yes, for names like /content/new/a_file_that_was_hinted > > > > but not so good for > > > > /content/new/a/file/that/was/hinted > > where the name is a path, perhaps derived from the post. > > Yes, this use case must be handled on the client side (eg. Javascript > in browsers), to set the path before the post. > > Regards, > Alex > > -- > Alexander Klimetschek > alexander.klimetsc...@day.com > -- Dr. Oliver Pfeiffer Individual Computing GmbH Ingelsteinweg 2d, 4143 Dornach Tel.: +41 61 511 23 63 E-Mail: oliver.pfeif...@individual-computing.com Web: www.individual-computing.com
