[jira] [Commented] (SLING-8375) SlingPostServlet: :import operation must skip protected properties if present

[Viorel Lupu (JIRA)]

    [ 
https://issues.apache.org/jira/browse/SLING-8375?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16876326#comment-16876326
 ] 

Viorel Lupu commented on SLING-8375:
------------------------------------

[~rombert]: for controlled environments using FileVault content packages is 
surely a more appropriate solution. The sling contentloader has been used as a 
lightweight approach for restricted environments where, for example, the system 
console or package manager are not available. With some simple JSON 
preprocessing the contentloader fulfills the task provided that the content is 
not deeply nested (typically up to 3 levels) and does not contain complex 
structures. Having some extra logic for filtering protected properties would be 
a 'nice-to-have' feature but given the complexity of the logic for identifying 
and handling different types of protected properties maybe it would be safer to 
leave it the way it is. Moreover applying extra filtering logic might have a 
high potential for regressions.

> SlingPostServlet: :import operation must skip protected properties if present
> -----------------------------------------------------------------------------
>
>                 Key: SLING-8375
>                 URL: https://issues.apache.org/jira/browse/SLING-8375
>             Project: Sling
>          Issue Type: Improvement
>          Components: Servlets
>         Environment: AEM 6.3
>            Reporter: Viorel Lupu
>            Priority: Major
>              Labels: import, json
>             Fix For: Servlets Post 2.3.32
>
>         Attachments: error-import-json.log
>
>          Time Spent: 3h 20m
>  Remaining Estimate: 0h
>
> h2. Description
> Posting JSON content to the SlingPostServlet with *:import* operation as 
> documented at 
> [https://sling.apache.org/documentation/bundles/manipulating-content-the-slingpostservlet-servlets-post.html#importing-content-structures]
>  fails when the JSON payload contains protected property names such as:
>  
> {code:java}
> "jcr:createdBy",
> "jcr:created",
> "jcr:createdBy",
> "jcr:baseVersion",
> "jcr:lastModified",
> "jcr:lastModifiedBy",
> "jcr:uuid",
> "cq:lastModified",
> "cq:lastModifiedBy",
> "cq:lastReplicated",
> "jcr:versionHistory",
> "rep:policy",
> "onTime",
> "offTime"
> {code}
> {code:java}
> # curl invocation
> curl -L -vv -u admin:admin \
> -F ":operation=import" \
> -F ":contentType=json" \
> -F ":name=newcontentnode" \
> -F ":content=@data.json" \
> -F ":replace=true" \
> -H 'Referer: http://localhost:4502/content/we-retail/language-masters/en' \
> -H 'User-Agent: Adobe-Campaign/5.0' \
>  http://localhost:4502/content/we-retail/language-masters/en{code}
>  
> h2. Suggested Improvement
> Add a new POST parameter {{:ignoreProperties}} which can take a 
> comma-separated list of properties for the importer to skip.
> h2. Error.log:
> more detailed error log attached to issue
>  
> {code:java}
> 26.04.2019 16:34:55.298 *ERROR* [0:0:0:0:0:0:0:1 [1556289295274] POST 
> /content/we-retail/language-masters HTTP/1.1] 
> org.apache.sling.servlets.post.impl.operations.ImportOperation Exception 
> during response processing.
> javax.jcr.nodetype.ConstraintViolationException: Property is protected: 
> jcr:createdBy = admin
> at 
> org.apache.jackrabbit.oak.jcr.delegate.NodeDelegate.setProperty(NodeDelegate.java:525)
> at 
> org.apache.jackrabbit.oak.jcr.session.NodeImpl$35.perform(NodeImpl.java:1376)
> at 
> org.apache.jackrabbit.oak.jcr.session.NodeImpl$35.perform(NodeImpl.java:1364)
> at 
> org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.perform(SessionDelegate.java:208)
> at org.apache.jackrabbit.oak.jcr.session.ItemImpl.perform(ItemImpl.java:112)
> at 
> org.apache.jackrabbit.oak.jcr.session.NodeImpl.internalSetProperty(NodeImpl.java:1364)
> at 
> org.apache.jackrabbit.oak.jcr.session.NodeImpl.setProperty(NodeImpl.java:434)
> at 
> org.apache.sling.jcr.contentloader.internal.DefaultContentCreator.createProperty(DefaultContentCreator.java:361)
> at 
> org.apache.sling.jcr.contentloader.internal.readers.JsonReader.createProperty(JsonReader.java:226)
> at 
> org.apache.sling.jcr.contentloader.internal.readers.JsonReader.createNode(JsonReader.java:199)
> at 
> org.apache.sling.jcr.contentloader.internal.readers.JsonReader.createNode(JsonReader.java:197)
> at 
> org.apache.sling.jcr.contentloader.internal.readers.JsonReader.parse(JsonReader.java:159)
> at 
> org.apache.sling.jcr.contentloader.internal.DefaultContentImporter.importContent(DefaultContentImporter.java:93)
> at 
> org.apache.sling.servlets.post.impl.operations.ImportOperation.doRun(ImportOperation.java:176)
> at 
> org.apache.sling.servlets.post.AbstractPostOperation.run(AbstractPostOperation.java:97)
> at 
> org.apache.sling.servlets.post.impl.SlingPostServlet.doPost(SlingPostServlet.java:205)
> at 
> org.apache.sling.api.servlets.SlingAllMethodsServlet.mayService(SlingAllMethodsServlet.java:146)
> at 
> org.apache.sling.api.servlets.SlingSafeMethodsServlet.service(SlingSafeMethodsServlet.java:342)
> at 
> org.apache.sling.api.servlets.SlingSafeMethodsServlet.service(SlingSafeMethodsServlet.java:374)
> at 
> org.apache.sling.engine.impl.request.RequestData.service(RequestData.java:552)
> {code}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)