Return-Path: X-Original-To: apmail-jackrabbit-oak-dev-archive@minotaur.apache.org Delivered-To: apmail-jackrabbit-oak-dev-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 2809210021 for ; Thu, 14 Nov 2013 08:39:53 +0000 (UTC) Received: (qmail 47622 invoked by uid 500); 14 Nov 2013 08:39:51 -0000 Delivered-To: apmail-jackrabbit-oak-dev-archive@jackrabbit.apache.org Received: (qmail 47483 invoked by uid 500); 14 Nov 2013 08:39:49 -0000 Mailing-List: contact oak-dev-help@jackrabbit.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: oak-dev@jackrabbit.apache.org Delivered-To: mailing list oak-dev@jackrabbit.apache.org Received: (qmail 47446 invoked by uid 99); 14 Nov 2013 08:39:44 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 14 Nov 2013 08:39:44 +0000 X-ASF-Spam-Status: No, hits=-1.3 required=5.0 tests=FRT_ADOBE2,RCVD_IN_DNSWL_MED,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of anchela@adobe.com designates 64.18.1.191 as permitted sender) Received: from [64.18.1.191] (HELO exprod6og106.obsmtp.com) (64.18.1.191) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 14 Nov 2013 08:39:35 +0000 Received: from outbound-smtp-1.corp.adobe.com ([192.150.11.134]) by exprod6ob106.postini.com ([64.18.5.12]) with SMTP ID DSNKUoSMMVW67B3cFXA0t0XKoUnqQdyGiMUl@postini.com; Thu, 14 Nov 2013 00:39:15 PST Received: from inner-relay-2.corp.adobe.com ([153.32.1.52]) by outbound-smtp-1.corp.adobe.com (8.12.10/8.12.10) with ESMTP id rAE8ZSt2002739 for ; Thu, 14 Nov 2013 00:35:29 -0800 (PST) Received: from nacas01.corp.adobe.com (nacas01.corp.adobe.com [10.8.189.99]) by inner-relay-2.corp.adobe.com (8.12.10/8.12.10) with ESMTP id rAE8dCOV029362 for ; Thu, 14 Nov 2013 00:39:12 -0800 (PST) Received: from eurcas01.eur.adobe.com (10.128.4.27) by nacas01.corp.adobe.com (10.8.189.99) with Microsoft SMTP Server (TLS) id 8.3.327.1; Thu, 14 Nov 2013 00:39:12 -0800 Received: from eurmbx01.eur.adobe.com ([10.128.4.32]) by eurcas01.eur.adobe.com ([10.128.4.27]) with mapi; Thu, 14 Nov 2013 08:39:09 +0000 From: Angela Schreiber To: "oak-dev@jackrabbit.apache.org" Date: Thu, 14 Nov 2013 08:39:07 +0000 Subject: Re: Security Concerns wrt Index Definitions Thread-Topic: Security Concerns wrt Index Definitions Thread-Index: Ac7hFPwUaCiOZxSxTA6J1rh1F1ixYw== Message-ID: In-Reply-To: <4D074FBD-E011-4501-8C8D-A7FA84949877@adobe.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/14.3.2.130206 acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Virus-Checked: Checked by ClamAV on apache.org hi On 11/13/13 9:45 PM, "Alexander Klimetschek" wrote: >On 13.11.2013, at 09:16, Angela Schreiber wrote: > >> while i can see some benefit of having index definitions with >> the content being index i am not happy with having the >> built in index definitions underneath the root node. is is for >> sure asking for troubles as the /jcr:system is generally protected >> in some way while the root node is very often defined to be >> readable to everyone (imagine our regular publish setup). > >I agree, built-in indexes should be under /jcr:system. ok... what about explicitly specifying the path for with a given the definition applies? >If the oak:index nodes can be everywhere (close to the content to be >indexed), which IMO is useful for applications, then you are free to put >the built-in indexes everwhere. [...] yes... but the key point here is IMO 'applications'. i am not sure if it really makes sense to allow everyone with write permission to create index definitions such as proposed by jukka earlier. to be honest that looks pretty scary to me. imagine the following scenarios: - authors can just create new index where ever they feel fancy - they may not care about an existing index already taking care of this - they may not be aware of or care about creating the same index definition=20 again with another name. - public writable content such as we have it in social collab features: - any user with write access may create a new index definititions? this may result in polluting the repository with additional and maybe superfluous index definitions and indices, triggering that both get versioned... someone may even try to abuse this. note, that my point is not primarily if and how we can assure that the implementation gracefully handles such cases in order to prevent major problems. instead i think we should make a conscious decision on whether setting up index definitions and consequently triggering indexing is really something that everyone can do who has write permission at some place in the repository. kind regards angela