[jira] [Commented] (SLING-5135) Whitelist legit usages of loginAdministrative and administrative ResourceResolver

Tue, 08 Nov 2016 07:25:09 -0800 

    [ 
https://issues.apache.org/jira/browse/SLING-5135?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15647842#comment-15647842
 ] 

Julian Sedding commented on SLING-5135:
---------------------------------------

[~bdelacretaz] I will try to wrap this issue up, but I will probably need your 
inputs.

Can you please confirm that what's left to do are the following:

- rename the configuration properties as suggested by [~olli]
- add documentation

Furthermore, I have two questions regarding the current state of the 
implementation:

- What's the rationale for implementing the check for 
{{ResourceResolverFactory#getAdministrativeResourceResolver}} in 
{{JcrProviderStateFactory#requireCallingBundle}} rather than in 
{{CommonResourceResolverFactoryImpl#getAdministrativeResourceResolver}}? The 
latter would seem more intuitive and straight forward IMHO.
- Why is {{LoginAdminWhitelist}} in the package {{org.apache.sling.jcr.base}} 
rather than in an API package? While in practice it's most likely to be a JCR 
concern, conceptually it's a concern of the {{ResourceResolverFactory}} 
(package {{o.a.s.api.resource}}) and the {{SlingRepository}} (package 
{{o.a.s.jcr.api}}), so {{o.a.s.api}} would seem like a natural option.

Or was the intention to apply the {{LoginAdminWhitelist}} exclusively on 
{{SlingRepository#loginAdministrative}} while handing down the {{usingBundle}} 
for calls {{ResourceResolverFactory#getAdministrativeResourceResolver}} 
implementations?

Thanks in advance for any insights!

> Whitelist legit usages of loginAdministrative and administrative 
> ResourceResolver
> ---------------------------------------------------------------------------------
>
>                 Key: SLING-5135
>                 URL: https://issues.apache.org/jira/browse/SLING-5135
>             Project: Sling
>          Issue Type: Bug
>          Components: JCR
>            Reporter: Antonio Sanso
>            Assignee: Bertrand Delacretaz
>         Attachments: SLING-5135.patch, SLING-5135.patch
>
>
> {{AbstractSlingRepositoryManager}} contains a method that disable 
> loginAdministrative support
> {code}
>     /**
>      * Returns whether to disable the
>      * {@code SlingRepository.loginAdministrative} method or not.
>      *
>      * @return {@code true} if {@code SlingRepository.loginAdministrative} is
>      *         disabled.
>      */
>     public final boolean isDisableLoginAdministrative() 
> {code}
> This is a global configuration. It would be nice to have an extension of such 
> mechanism that contains a white list of (few) legit usage of 
> {{loginAdministrative}}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to