Ian Boston wrote: > > On 18 Nov 2009, at 11:13, Bertrand Delacretaz wrote: > >> On Wed, Nov 18, 2009 at 6:02 PM, Carsten Ziegeler >> <[email protected]> wrote: >>> ...I think we should rather go for an xml generation that is resource >>> based >>> and works like the json stuff. This way we don't have any limitations >>> (like some parts of the resource tree are not renderable as xml) and can >>> easily apply the same algorithm as for the json output.... >> >> Sounds good to me, but we should keep the existing docview/sysview >> formats as options - they are useful when moving stuff between >> repositories (which might not use Sling). >> >> -Bertrand > > > 2 observations. > > When I made the request as a anon user, there was significant load on > the server as it loaded all the nodes in the jcr. (potential DoS) > and > I am wondering why it loaded all the nodes in the JCR seeing as some of > them had restrictive ACL's on them and should not have been rendered. > > The DoS issue is a bit worrying ? > Yes and no :)
The xml export can be turned off, so the hole can be closed Unfortunately it is open by default. Carsten -- Carsten Ziegeler [email protected]
