Hi Bertrand, > On 5 Oct 2018, at 16:18, Bertrand Delacretaz <[email protected]> wrote: > > Hi, > > On Fri, Oct 5, 2018 at 2:47 PM Jason E Bailey <[email protected]> wrote: >> ...1. Each resource provider, if it supports security, should be responsible >> for security... > > I think there are misunderstandings in this thread about what we're > trying to achieve. > > Radu, correct me if I'm wrong but I think the only aspect of your > proposal that we need to agree upon right now is to create a service > that provides an API like > > /** Throw a PermissionDeniedException if any of the requested > permissions is not granted > * in the context of the supplied ResourceResolver which points to > a specific user */ > void checkAllPermissions( > ResourceResolver context, > String ...requestedPermission) > throws PermissionDeniedException; > > The goal being to define permissions for things which are not content > - like letting a specific user execute any code that's tied to a > particular resource type, without having to implement checks in all > the affected code and scripts. > > How these permissions are configured and evaluated is an > implementation detail that we can discuss separately. > > I think Radu is proposing to keep this API internal to the servlets > resolver as we don't see a need for it outside of that for now.
Yes, an internal API for now would be more than enough, since we have only one use-case. I’ve already started hacking on something [1] - it’s by no means neither ready, nor complete, but for now it seems to work and it’s only meant to show the idea. We could obviously transform my hack into something more generic, but if we’re only talking about this one use-case it might not be needed. > > Can we agree on this? If yes the remaining aspects can be addressed > separately in more specific discussions. > > -Bertrand Cheers, Radu [1] - https://github.com/apache/sling-org-apache-sling-engine/compare/resource-type-execution?expand=1
