Hi Lars, Am Freitag, den 21.12.2007, 12:46 +0100 schrieb Lars Trieloff: > > request-level or resource-level filters. > > > > The problem with filtering is, that it imposes certain performance > > degradation. So if you (or Michael) would be able to present a > > conceptor > > even a patch, we may certainly further discuss. > > Let's start with a concept, then a patch and then care for > performance. No premature optimization.
Sure, but a concept, which obvisouly suffers from bad performance should be carefully reviewed :-) > >> - repository events > > > > This sounds, easy to implement, though there are certain ACL related > > open issues: What credentials are active for the scripted events ? Who > > is allowed to post scripted JCR event handlers ? In fact this has > > already been discussed [1] to a certain degree but without reaching a > > final target... > > Everybody who can create scripts or servlets is allowed to post > scripted event handlers, a simple ACL on the events-tree is enough. Sounds reasonable, and I would have proposed that way, too. > The event is executed with the credentials of Event.getUserId(). First it might not work. Of course, given the admin session, you might create a session of the desired user. Second, and more important: the Event.getUserId is the user name of the session which performed the changes causing the event. Running the event handler as that user would open a backdoor wide open. So this is definitely a no-go. Sorry. Regards Felix
