[
https://issues.apache.org/jira/browse/SLING-2698?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13593511#comment-13593511
]
angela commented on SLING-2698:
-------------------------------
honestly, i fail to see the difference between the use-cases you are listing
above and other access control restriction.
i could - to some extend - follow your argument if you would say that your
'store' doesn't have any ac and you want to build in in the sling layer
as your resource provider was something really internal to the sling layer and
by no means exposed otherwise.
but distributing some kind of access restriction to different layers as you are
suggesting is IMO a bad thing that will
cause major security issues.
regarding your examples:
A) is IMO not related to access control at all. disallowing anonymous access in
the sling-auth configuration would just do the trick.
B) this is a perfect example for the additional restrictions as defined in the
JSR 283 (see 9.1 Permissions) that form the distinction between the
privileges such as defined by the specification and the permissions that
result from a given access control model.
> Add a minimal resource access gate
> ----------------------------------
>
> Key: SLING-2698
> URL: https://issues.apache.org/jira/browse/SLING-2698
> Project: Sling
> Issue Type: New Feature
> Components: ResourceResolver
> Reporter: Mike Müller
> Assignee: Mike Müller
> Fix For: Resource Resolver 1.1.0
>
> Attachments: resource-resolver-wrapper.patch
>
>
> Adding a minmal resource access gate as discussed in [1].
> First step is to define the API interface and a minimal implementation which
> allows to define READ access (rest of CRUD can follow later)
> [1] http://markmail.org/thread/4ctczoiy533tquyl
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
