Hi, On Fri, Oct 5, 2018 at 6:52 AM Carsten Ziegeler <cziege...@apache.org> wrote:
> ...I would like to get briefly back to the use case of this "dangerous > servlet". Why isn't that servlet doing the permission checks which I > think is way safer than relying on additional magic somewhere else > (regardless of what it is)?... That servlet can of course do its own checks, but how? I don't think we have a recommended way of doing that, nor tools that help. The goal here is to define a standard way for how code running in Sling can check permissions, which can be as simple as void checkAllPermissions(ResourceResolver context, String ... permissionName) throws PermissionDeniedException One idea discussed earlier was to create a generic permissions checking service for that. Here I think Radu is taking the angle that such permissions are currently only needed for resource types, servlets and scripts, so this permissions API and impl can stay internal to the servlets resolver module for now. I think that works, provided that's designed in a way that allow us to take it out into a standalone module if needed later. -Bertrand
