Hi Felix,
The event is executed with the credentials of Event.getUserId().
First it might not work. Of course, given the admin session, you might
create a session of the desired user. Second, and more important: the
Event.getUserId is the user name of the session which performed the
changes causing the event.
This is how it should behave. You change something in the repository
and then you trigger the registered (high-level) event handlers.
Running the event handler as that user would
open a backdoor wide open. So this is definitely a no-go. Sorry.
I do not see the backdoor. Default permissions do still apply, and you
as an authenticated user cannot inject a script that would be executed
and the script cannot acquire a higher permission level.
Can you describe a scenario where this backdoor is used?
regards,
Lars
--
Lars Trieloff
[EMAIL PROTECTED]
http://weblogs.goshaky.com/weblogs/lars
