Hi, Am 16.09.2012 um 20:41 schrieb Sandro Boehme:
> Hello, > > I understand that I can deny jcr:all for /apps and also for a script > path that is mounted from a bundle via > <Sling-Initial-Content>folder/in/bundle;overwrite:=true;path:=/folder/in/resource/tree</Sling-Initial-Content> > . After that the user will not see the scripts anymore. But if they are > called to render a resource they are still executed. Is there a way to > have something like jcr:execute to specify which user are allowed to > execute the scripts? Yes, something like an execution privilege would have been a solution (actually my preferred one). But we decided to do it differently: The ServletResolver which does the resolution uses a special user (admin by default) to access the scripts. In addition only scripts at certain locations are ever considered. IIRC this is /libs and /apps by default such that no scripts below /var or /tmp may actually be executed. Both these features allow for this "security". Regards Felix
