On Fri, Aug 6, 2021 at 8:40 AM Bertrand Delacretaz <[email protected]> wrote:
> Hi, > > On Thu, Aug 5, 2021 at 8:00 PM Daniel Klco <[email protected]> wrote: > > ...I've been working on a web console plugin for users to test and > validate > > their RepoInit scripts on an instance of Sling. It would not be expected > to > > be installed in production, but something for developers to install in a > > local instance.... > > Any code that gets written is bound to end up in production some day ;-) > > More seriously, I think nowadays we'd rather create command-line > utilities for such things, but I don't think we have a good framework > for doing that at this point. > > Jbang scripts [1] for example might be a nice way to do that if > someone has good ideas. > That makes a lot of sense to me, a CLI tool seems more useful since it would require less setup than having to install then whitelist a bundle. The question I have though is how would I get access to the running OSGi context? I've done JCR over RMI, but I'm not seeing a good way to invoke services remotely. > > This is just a general comment, I'm not opposed to a webconsole plugin > in this case. > > > ...Please review the project in the Sling Whiteboard: > > > https://github.com/apache/sling-whiteboard/tree/master/org.apache.sling.repoinit.webconsole > ... > > I was going to say that you should use the incoming request's identity > instead of calling loginAdministrative [2] but I forgot if that's > possible in a web console plugin. > The current code causes a privilege escalation, which might be ok for > a console plugin but that IMHO we should avoid if possible. > Thus the non-production callout :-D > > -Bertrand > > [1] https://www.jbang.dev/ > [2] > https://github.com/apache/sling-whiteboard/blob/c369b1bbba2c990cfe05d706efdb1ba5050f5fa6/org.apache.sling.repoinit.webconsole/src/main/java/org/apache/sling/repoinit/webconsole/RepoInitWebConsole.java#L152 >
