You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@sling.apache.org by "Michael Marth (JIRA)" <ji...@apache.org> on 2009/06/02 12:51:07 UTC

[jira] Created: (SLING-989) scripts in /apps are read by user session, this leads to security problem

scripts in /apps are read by user session, this leads to security problem
-------------------------------------------------------------------------

                 Key: SLING-989
                 URL: https://issues.apache.org/jira/browse/SLING-989
             Project: Sling
          Issue Type: Bug
            Reporter: Michael Marth


At the moment the user session is used to read the scripts stored in /apps. Most web apps have some anonymous users as well, therefore the ACLs of /apps must allow read access of the /apps directory. Hence, all scripts within /apps are readable by anyone.

I suggest to allow the Sling administrator to configure which session to use when the scripts are read. He could choose the admin session or stick with the default (the user's session).

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.