Hi Felix,
my comment is inline.
Am 17.09.12 11:54, schrieb Felix Meschberger:
Hi,
Am 16.09.2012 um 20:41 schrieb Sandro Boehme:
Hello,
I understand that I can deny jcr:all for /apps and also for a
script path that is mounted from a bundle via
<Sling-Initial-Content>folder/in/bundle;overwrite:=true;path:=/folder/in/resource/tree</Sling-Initial-Content>
. After that the user will not see the scripts anymore. But if they are
called to render a resource they are still executed. Is there a way
to have something like jcr:execute to specify which user are
allowed to execute the scripts?
Yes, something like an execution privilege would have been a solution
(actually my preferred one).
But we decided to do it differently: The ServletResolver which does
the resolution uses a special user (admin by default) to access the
But the scripts are not executed as admin right? I mean: If anonymous
calls a script (jsp, eps,...) that deletes a node. And anonymous has not
the jcr:removeNode privilege on that node, he would get an error as this
script is executed as anonymous not as admin. Right?
Best,
Sandro
scripts. In addition only scripts at certain locations are ever
considered. IIRC this is /libs and /apps by default such that no
scripts below /var or /tmp may actually be executed.
Both these features allow for this "security".
Regards Felix
