On Mon, Oct 10, 2011 at 3:16 PM, Markus Joschko <[email protected]> wrote: > ...Basically I need an anonymous user (not authenticate) to create data > in the repository. However that is not public data. Other anonymous > users should not be able to view/edit that data....
IMO you need a custom servlet if you want that to be really secure, if you rely on events to hide nodes there's a time window during which other users might see the created content. The problem in this case is reusing the sling post servlet logic, which IIRC is not too easy (but I didn't check latest changes, I vaguely remember some improvements). As a workaround, you could have your custom servlet make an internal Sling request, using the SlingRequestProcessor service - pass it an admin ResourceResolver, change the path to the final destination and otherwise wrap your request to pass all parameters unchanged. This should allow you to create content in from an anonymous request, without making it readable by other anonymous users. -Bertrand
