sling-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Oliver Pfeiffer <oliver.pfeif...@icip.ch>
Subject Re: Beginner question: script resolution
Date Sat, 01 Aug 2009 14:40:25 GMT
Thanks a lot for your hints and the small discussion.
In a first step I will propably go on with my small project without the
directory structure for my scripts I had in mind. :-)
Thanks again.

Regards,
Oliver

2009/7/30 Alexander Klimetschek <aklimets@day.com>

> On Thu, Jul 30, 2009 at 3:05 PM, Ian Boston<ieb@tfd.co.uk> wrote:
> > I might be missing the point, but,
> > I think this is a generic problem not just limited to this area, if I can
> > create a node and set sling:resourceType=something/nasty, *and* upload an
> > arbitrary script to somewhere that is resoled to by "something/nasty" ,
> then
> > I can do the same in 2 steps ?
> >
> > IIRC, there is some work in progress to limit how scripts are loaded, but
> it
> > may not extend as far as protecting the location.
>
> You are right, I forgot about that issue. So basically one has to make
> sure anonymous or "public" users (ie. through self-registration)
> cannot set resource types (which would require an ACL on the
> sling:resourceType/sling:superResourceType properties, which isn't
> possible with JCR 1.0 or 2.0) or simply has only write-access to
> locations that are not part of the script resolution search path.
>
> > also... how does a script resolve *outside* /apps ?
>
> You can use an absolute path... at least in Java servlets with the
> sling.servlet.paths SCR property. Not sure if this applies to
> sling:resourceType as well.
>
> >> :name and :nameHint are not enough?
> >
> > yes, for names like /content/new/a_file_that_was_hinted
> >
> > but not so good for
> >
> > /content/new/a/file/that/was/hinted
> >  where the name is a path, perhaps derived from the post.
>
> Yes, this use case must be handled on the client side (eg. Javascript
> in browsers), to set the path before the post.
>
> Regards,
> Alex
>
> --
> Alexander Klimetschek
> alexander.klimetschek@day.com
>



-- 
Dr. Oliver Pfeiffer
Individual Computing GmbH
Ingelsteinweg 2d, 4143 Dornach

Tel.: +41 61 511 23 63
E-Mail: oliver.pfeiffer@individual-computing.com
Web: www.individual-computing.com

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message