kwin commented on code in PR #78:
URL:
https://github.com/apache/sling-org-apache-sling-resourceresolver/pull/78#discussion_r941353233
##########
src/main/java/org/apache/sling/resourceresolver/impl/console/ResourceResolverWebConsolePlugin.java:
##########
@@ -255,19 +278,42 @@ protected void doPost(HttpServletRequest request,
// finally redirect
final String path = request.getContextPath() + request.getServletPath()
+ request.getPathInfo();
- final String redirectTo;
+ String redirectTo;
if (msg == null) {
redirectTo = path;
} else {
redirectTo = path + '?' + PAR_MSG + '=' + encodeParam(msg) + '&'
+ PAR_TEST + '=' + encodeParam(test);
+ if ( user != null && user.length() > 0 ) {
+ redirectTo += '&' + PAR_USER + '=' + encodeParam(user);
+ }
}
response.sendRedirect(redirectTo);
}
+ private ResourceResolver
getImpersonatedResourceResolver(HttpServletRequest request, final String user)
+ throws LoginException {
+
+ // resolver is set by the auth.core bundle in case of successful
authentication, so it should
+ // always be there
+ Object resolverAttribute =
request.getAttribute(AuthenticationSupport.REQUEST_ATTRIBUTE_RESOLVER);
Review Comment:
Actually the user needs to be "admin", just being member of the
administrators group is IMHO not enough. I don't think that there is an option
yet for a user to enable him to impersonate as anyone else. Might be a good
extension though.
The same limitation applies to the user doing the webconsole request (in
case the Sling Webconsole Security provider is used), so in fact this option
does only work for admin with all other users.
Therefore I would suggest to use a new administrative resource resolver with
impersonation and whitelist the usage accordingly.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscr...@sling.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
