sling-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bertrand Delacretaz <bdelacre...@apache.org>
Subject Re: [sling:resourceType] protected execution
Date Fri, 05 Oct 2018 08:35:13 GMT
Hi,

On Fri, Oct 5, 2018 at 6:52 AM Carsten Ziegeler <cziegeler@apache.org> wrote:

> ...I would like to get briefly back to the use case of this "dangerous
> servlet". Why isn't that servlet doing the permission checks which I
> think is way safer than relying on additional magic somewhere else
> (regardless of what it is)?...

That servlet can of course do its own checks, but how?

I don't think we have a recommended way of doing that, nor tools that help.

The goal here is to define a standard way for how code running in
Sling can check permissions, which can be as simple as

  void checkAllPermissions(ResourceResolver context, String ...
permissionName) throws PermissionDeniedException

One idea discussed earlier was to create a generic permissions
checking service for that.

Here I think Radu is taking the angle that such permissions are
currently only needed for resource types, servlets and scripts, so
this permissions API and impl can stay internal to the servlets
resolver module for now. I think that works, provided that's designed
in a way that allow us to take it out into a standalone module if
needed later.

-Bertrand

Mime
View raw message