[ https://issues.apache.org/jira/browse/SLING-2236?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13190968#comment-13190968 ]
Jeff Young commented on SLING-2236: ----------------------------------- Imagine our poor developer trying to debug this. A workaround isn't very useful if there's no indication that they ought to use the workaround. It's not the operation lookup that's the issue: it's that (conceptually) the WRONG servlet is processing the operation (because we couldn't read the sling:resourceType to get the RIGHT servlet). We at least give our developer a hint with a 404; they're going to be pretty baffled when we report an invalid operation. > Default POST servlet reports invalid operation when it should report 404 > ------------------------------------------------------------------------ > > Key: SLING-2236 > URL: https://issues.apache.org/jira/browse/SLING-2236 > Project: Sling > Issue Type: Bug > Components: Servlets > Reporter: Jeff Young > Priority: Minor > > In sling/servlets/post/impl/SlingPostServlet.java's doPost() method, we look > up the operation (and report an unknown operation) before checking > privileges. I'd > like to propose that when the operation is not understood, we first check for > read access to the resource, and if unsuccessful, report that instead of > reporting > "invalid operation". > Here's the issue: say I define my own POST servlet which supports > :operation="foo". I set a sling:resourceType so that my POST servlet gets > invoked. All fine > and good. > Now someone without read access to the resource tries to do an > :operation="foo". Sling can't read the sling:resourceType (no read access), > and so invokes the > default POST servlet instead of my custom POST servlet. It looks up > :operation="foo" and reports "invalid operation" (which is pretty misleading). -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira