[ https://issues.apache.org/jira/browse/SLING-2236?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13190929#comment-13190929 ]
Felix Meschberger commented on SLING-2236: ------------------------------------------ I agree with Justin: Operation lookup is just that, nothing else. If the Sling POST Servlet does not know an operation it complains. That's how it works. As a solution to your problem: You might consider implementing your POST servlet as an PostOperation service and hook into the Sling POST Servlet supporting your particular operation. > Default POST servlet reports invalid operation when it should report 404 > ------------------------------------------------------------------------ > > Key: SLING-2236 > URL: https://issues.apache.org/jira/browse/SLING-2236 > Project: Sling > Issue Type: Bug > Components: Servlets > Reporter: Jeff Young > Priority: Minor > > In sling/servlets/post/impl/SlingPostServlet.java's doPost() method, we look > up the operation (and report an unknown operation) before checking > privileges. I'd > like to propose that when the operation is not understood, we first check for > read access to the resource, and if unsuccessful, report that instead of > reporting > "invalid operation". > Here's the issue: say I define my own POST servlet which supports > :operation="foo". I set a sling:resourceType so that my POST servlet gets > invoked. All fine > and good. > Now someone without read access to the resource tries to do an > :operation="foo". Sling can't read the sling:resourceType (no read access), > and so invokes the > default POST servlet instead of my custom POST servlet. It looks up > :operation="foo" and reports "invalid operation" (which is pretty misleading). -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira