[
https://issues.apache.org/jira/browse/SLING-6191?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15622155#comment-15622155
]
Santiago García Pimentel commented on SLING-6191:
-------------------------------------------------
[~joerghoh] I think it would have to be made at some point. from the TODO
points in SLING-550:
-"Access control: status nodes should be readable by their owner only (+ admin
of course).".
I don't think this is happening right now and any user with rights to that node
could access other user's jobs.
> Background servlets uses the user's session to create job node
> --------------------------------------------------------------
>
> Key: SLING-6191
> URL: https://issues.apache.org/jira/browse/SLING-6191
> Project: Sling
> Issue Type: Bug
> Components: Extensions
> Affects Versions: Background Servlets 1.0.6
> Reporter: Santiago García Pimentel
>
> When you call a background servlet, it will create a node by default in
> /var/bg/jobs. This is done using the same session of the user that made the
> request.
> This causes problems since it is possible that the user does not have write
> access to that directory. If this is the case the request will fail due to an
> AccessDeniedException.
> Also, the node doesn't seem exist by default, so you have to manually create
> it to apply any permissions to it.
> Instead the job node should be created with a dedicated user.
> I reproduced this with org.apache.sling.bgservlets 1.0.6
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
