kwin commented on pull request #89: URL: https://github.com/apache/jackrabbit-filevault/pull/89#issuecomment-651037534
> I guess, the entire RCP service is kind of insecure and should require an admin session for adding a task. I don't follow here, because starting a task via API requires giving a session on the destination system: https://github.com/apache/jackrabbit-filevault/blob/70dfb76e5c5aef46866b6e31570ce6cea9c9ccd7/vault-rcp/src/main/java/org/apache/jackrabbit/vault/rcp/impl/RcpTaskImpl.java#L195. The servlet is using the current session for that (i.e. using the context of the calling user). > Also, I think that just persisting the task isn't enough, as the current progress is not saved. i.e. after ever copy operation, the current traverse state should be stored, otherwise this feature is useless. For me the persist feature is mostly about backstaging content from PROD to STAGE or other environments which happens periodically. For one time migration things it is not useful. Therefore I would also not persist the state, but rather start tasks from scratch manually after a restart > Also, I think I changed my mind, and I think it's better to store the task in the bundle data than in the repository. Why is that? Having it in the repo allows to configure tasks via packages instead of via Servlet/API only. I don't see any security implications as starting tasks still require a dedicated session! ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org