Bertrand Delacretaz wrote > On Tue, Dec 29, 2015 at 11:29 AM, Carsten Ziegeler <[email protected]> > wrote: > ... >>> If "admin safe" mode is enabled, loginAdmin fails *unless* the code >>> that calls is is marked with the reason why it's needed. >> >> Don't want to be a pita, but that requirement is not in the issue :).. > > I said "IMO" ;-)
:) > >> ... Why can't we simply use the same concept as for the service users? >> The caller bundle needs to be in a list of allowed bundles... > > If we accept that the granularity is at the bundle level then yes, > that would work, the SLING-5135 requirement then becomes > I think that's easy and sufficient. A bundle doesn't get more insecure whether it is doing a single loginAdmin call or several (of course the danger of wrong code is higher) - if you have one open door it doesn't matter if you have more open doors or not. For legitimate usages we can require a comment similar to Sonar's // NOSONAR on the same line. Carsten -- Carsten Ziegeler Adobe Research Switzerland [email protected]
