Bertrand Delacretaz wrote:
An variant of 2) just showed up in the "Accessing JCR" thread. Looks like anyone that can upload a script can do the following:2) Prevent legitimate scripts from messing up with the system
<sling:defineObjects/> <% SlingRepository repo = sling.getService(SlingRepository.class); Session superSession = repo.loginAdministrative(null); // and then do anything, like superSession.getRootNode().remove(); %> Regards, Rory
