[ https://issues.apache.org/jira/browse/SLING-2698?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13593511#comment-13593511 ]
angela commented on SLING-2698: ------------------------------- honestly, i fail to see the difference between the use-cases you are listing above and other access control restriction. i could - to some extend - follow your argument if you would say that your 'store' doesn't have any ac and you want to build in in the sling layer as your resource provider was something really internal to the sling layer and by no means exposed otherwise. but distributing some kind of access restriction to different layers as you are suggesting is IMO a bad thing that will cause major security issues. regarding your examples: A) is IMO not related to access control at all. disallowing anonymous access in the sling-auth configuration would just do the trick. B) this is a perfect example for the additional restrictions as defined in the JSR 283 (see 9.1 Permissions) that form the distinction between the privileges such as defined by the specification and the permissions that result from a given access control model. > Add a minimal resource access gate > ---------------------------------- > > Key: SLING-2698 > URL: https://issues.apache.org/jira/browse/SLING-2698 > Project: Sling > Issue Type: New Feature > Components: ResourceResolver > Reporter: Mike Müller > Assignee: Mike Müller > Fix For: Resource Resolver 1.1.0 > > Attachments: resource-resolver-wrapper.patch > > > Adding a minmal resource access gate as discussed in [1]. > First step is to define the API interface and a minimal implementation which > allows to define READ access (rest of CRUD can follow later) > [1] http://markmail.org/thread/4ctczoiy533tquyl -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira