I recently had the need to get a list of users from an AJAX style client and found the jackrabbit usermanager exposes this functionality at system/userManager/user. As a part of this discovery, I noticed the listing of JCR users is not restricted in any way. If the usermanager bundle is installed, the following endpoint is open to the public: http://localhost:8080/system/userManager/user.tidy.1.json, providing a complete user list to anyone digging around. Any usermanager command that allows modifications to the JCR first checks if the user is an admin, but it seems all the read-only commands skip this check.
Is this by intention, or was this simply missed? In addition, what are the thoughts on adding some sort of authorization component beyond just the isAdmin check? Maybe inspecting the jcr:readAccessControl / jcr:modifyAccessControl for the root node? -- Mike
