[ https://issues.apache.org/jira/browse/SLING-989?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Carsten Ziegeler resolved SLING-989. ------------------------------------ Resolution: Duplicate > scripts in /apps are read by user session, this leads to security problem > ------------------------------------------------------------------------- > > Key: SLING-989 > URL: https://issues.apache.org/jira/browse/SLING-989 > Project: Sling > Issue Type: Bug > Components: Scripting > Affects Versions: Scripting Core 2.0.4 > Reporter: Michael Marth > > At the moment the user session is used to read the scripts stored in /apps. > Most web apps have some anonymous users as well, therefore the ACLs of /apps > must allow read access of the /apps directory. Hence, all scripts within > /apps are readable by anyone. > I suggest to allow the Sling administrator to configure which session to use > when the scripts are read. He could choose the admin session or stick with > the default (the user's session). -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.