I can't speak to whether this was by intent or not, but I would definitely recommend preventing anonymous access to /system. Beyond that, it gets very application-specific quickly.
Justin On 9/9/10 6:47 PM, Mike Moulton wrote: > I recently had the need to get a list of users from an AJAX style client and > found the jackrabbit usermanager exposes this functionality at > system/userManager/user. As a part of this discovery, I noticed the listing > of JCR users is not restricted in any way. If the usermanager bundle is > installed, the following endpoint is open to the public: > http://localhost:8080/system/userManager/user.tidy.1.json, providing a > complete user list to anyone digging around. Any usermanager command that > allows modifications to the JCR first checks if the user is an admin, but it > seems all the read-only commands skip this check. > > Is this by intention, or was this simply missed? > > In addition, what are the thoughts on adding some sort of authorization > component beyond just the isAdmin check? Maybe inspecting the > jcr:readAccessControl / jcr:modifyAccessControl for the root node? > > -- Mike
