[
https://issues.apache.org/jira/browse/OAK-4959?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15826434#comment-15826434
]
angela commented on OAK-4959:
-----------------------------
[~chetanm], i will take a look asap... just from the description it looks quite
odd to register a {{PrincipalConfiguration}} for this (but you probably agree
if I read your comment). Can I ask you some more general questions regarding
original description?
- does it need to be stored under jcr:system/rep:documentStore/bundlor? and if
yes, why?
- why does it need to be writeable using JCR API?
- is there a reason for not making this an OSGi configuration? Since the system
console is by definition a system-admin tool (and any access by someone else
was a most severe security issue) that would look like a better fit to me than
some arbitrary location in the repository that up to now has not stored any
sensitive configuration.
> Review the security aspect of bundling configuration
> ----------------------------------------------------
>
> Key: OAK-4959
> URL: https://issues.apache.org/jira/browse/OAK-4959
> Project: Jackrabbit Oak
> Issue Type: Task
> Components: documentmk
> Reporter: Chetan Mehrotra
> Assignee: Chetan Mehrotra
> Labels: bundling
> Fix For: 1.5.18, 1.6
>
> Attachments: OAK-4959-v1.patch
>
>
> The config for node bundling feature in DocumentNodeStore is currently stored
> under {{jcr:system/rep:documentStore/bundlor}}. This task is meant to
> * Review the access control aspect - This config should be only updatetable
> by system admin
> * Config under here should be writeable via JCR api
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
