Am 06.08.2021 um 14:40 schrieb Bertrand Delacretaz:
I was going to say that you should use the incoming request's identity instead of calling loginAdministrative [2] but I forgot if that's possible in a web console plugin. The current code causes a privilege escalation, which might be ok for a console plugin but that IMHO we should avoid if possible.
Privilege escalation should really be avoided. Just for the record, a webconsole plugin can use the current user / resource resolver - if Sling's webconsole security provider is enabled.
Regards Carsten -- Carsten Ziegeler Adobe [email protected]
