[
https://issues.apache.org/jira/browse/OAK-4959?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15635592#comment-15635592
]
angela commented on OAK-4959:
-----------------------------
[~chetanm], I am sorry, but those 2 statements don't match up... if you are
looking for a regular permission setup as we have for the index-definition
management you can't enforce #b. as far as indices are concerned everyone with
sufficient permission can create those definitions. this is nothing that is
limited to system-admin(s) of either of those categories mentioned above.
if - on the other hand - you want to enforce #a, #b or #c we should enforce it
on the Oak layer because with a regular permission setup there is no guarantee
whatsoever that it's only system admin(s) writing that content. someone placing
a permission setup for a user on the root node e.g. may grant that user the
ability to write your config. someone changing the your initial permission
setup (be it intentionally or unintentionally) may allow non-admin users to
write.
so, shall we have a discussion during the Oakathon on what exactly you want to
achieve? To me the info now is a bit contradicting :-)
> Review the security aspect of bundling configuration
> ----------------------------------------------------
>
> Key: OAK-4959
> URL: https://issues.apache.org/jira/browse/OAK-4959
> Project: Jackrabbit Oak
> Issue Type: Task
> Components: documentmk
> Reporter: Chetan Mehrotra
> Assignee: Chetan Mehrotra
> Labels: bundling
> Fix For: 1.6
>
>
> The config for node bundling feature in DocumentNodeStore is currently stored
> under {{jcr:system/rep:documentStore/bundlor}}. This task is meant to
> * Review the access control aspect - This config should be only updatetable
> by system admin
> * Config under here should be writeable via JCR api
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
