[
https://issues.apache.org/jira/browse/JCRVLT-427?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17089292#comment-17089292
]
Georg Henzler commented on JCRVLT-427:
--------------------------------------
bq. ...they still can do nasty things like `system.exit()`
Using the proposed check for "session may write in /apps" would prohibit this
for both the hooks and any other code (e.g. from bundles installed by OSGi
installer) that could do the same malicious thing. The overall approach would
be consistent (one place) independent of the code source.
bq. if the permission setup is done properly the limitation to administrative
principals would most likely not be needed at all
I would also lean towards removing this completely.
> Allow installation of packages with hook for users without admin privileges
> ---------------------------------------------------------------------------
>
> Key: JCRVLT-427
> URL: https://issues.apache.org/jira/browse/JCRVLT-427
> Project: Jackrabbit FileVault
> Issue Type: Improvement
> Components: vlt
> Reporter: Konrad Windszus
> Assignee: Konrad Windszus
> Priority: Major
> Fix For: 3.4.6
>
>
> Currently due to the check in
> https://github.com/apache/jackrabbit-filevault/blob/e257001ec22ea06bcc987cbf79f0cc9b15c4e186/vault-core/src/main/java/org/apache/jackrabbit/vault/packaging/impl/ZipVaultPackage.java#L184
> packages containing a hook can only be installed by admins.
> Although I do understand the intent of that I think this is not flexible
> enough as currently that only gives the rights to users "admin", "system" or
> members of group "administrators". Instead there should be an OSGi
> configuration which allows to configure to grant the right to install
> packages with hooks to other groups as well!
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
