You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@sling.apache.org by "Carsten Ziegeler (Jira)" <ji...@apache.org> on 2023/04/13 05:07:00 UTC

[jira] [Resolved] (SLING-2236) Default POST servlet reports invalid operation when it should report 404

     [ https://issues.apache.org/jira/browse/SLING-2236?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Carsten Ziegeler resolved SLING-2236.
-------------------------------------
    Resolution: Won't Fix

> Default POST servlet reports invalid operation when it should report 404
> ------------------------------------------------------------------------
>
>                 Key: SLING-2236
>                 URL: https://issues.apache.org/jira/browse/SLING-2236
>             Project: Sling
>          Issue Type: Bug
>          Components: Servlets
>            Reporter: Jeff Young
>            Priority: Minor
>
> In sling/servlets/post/impl/SlingPostServlet.java's doPost() method, we look up the operation (and report an unknown operation) before checking privileges.  I'd 
> like to propose that when the operation is not understood, we first check for read access to the resource, and if unsuccessful, report that instead of reporting
> "invalid operation".
> Here's the issue: say I define my own POST servlet which supports :operation="foo".  I set a sling:resourceType so that my POST servlet gets invoked.  All fine 
> and good.
> Now someone without read access to the resource tries to do an :operation="foo".  Sling can't read the sling:resourceType (no read access), and so invokes the
> default POST servlet instead of my custom POST servlet.  It looks up :operation="foo" and reports "invalid operation" (which is pretty misleading).



--
This message was sent by Atlassian Jira
(v8.20.10#820010)