On Mon, Oct 10, 2011 at 4:24 PM, Bertrand Delacretaz <[email protected]> wrote: > On Mon, Oct 10, 2011 at 3:16 PM, Markus Joschko > <[email protected]> wrote: >> ...Basically I need an anonymous user (not authenticate) to create data >> in the repository. However that is not public data. Other anonymous >> users should not be able to view/edit that data.... > > IMO you need a custom servlet if you want that to be really secure, if > you rely on events to hide nodes there's a time window during which > other users might see the created content.
This small window is acceptable especially as there is no read right on the folder. > > The problem in this case is reusing the sling post servlet logic, > which IIRC is not too easy (but I didn't check latest changes, I > vaguely remember some improvements). > > As a workaround, you could have your custom servlet make an internal > Sling request, using the SlingRequestProcessor service - pass it an > admin ResourceResolver, change the path to the final destination and > otherwise wrap your request to pass all parameters unchanged. This > should allow you to create content in from an anonymous request, > without making it readable by other anonymous users. That sounds perfect. I'll have look into this tomorrow. Thanks, Markus
