[
https://issues.apache.org/jira/browse/SLING-2236?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13191192#comment-13191192
]
Justin Edelson commented on SLING-2236:
---------------------------------------
> Let's say the :operation -is- one the default servlet knows. In that case,
> it's going to report a 404.
Not necessarily. It's actually more likely to return a 500.
> So, conceptually, in the "bad" operation case the default servlet sees two
> problems: we can't read the resource and we don't know what the operation
> is. There's nothing in the Sling contract which states that operation errors
> have precedence over read-access errors. (And, while this particular
> instance doesn't appear to have any exploitability, it would seem that in
> general you'd want to give read-access errors precedence in order to reduce
> the possibility of leaking "resource exists" information.)
You kinda lost me there at the end, but I think from the servlet's perspective,
there's only really one problem - it doesn't know what the operation is. What
the operation does or what it needs (in terms of access to the repo) is not the
servlet's concern.
I could imagine allowing the operation to assert some preconditions (i.e. only
execute me if the resource is writeable) either via service properties or
something like the OptingServlet, but it's not clear that would help your
situation.
> Default POST servlet reports invalid operation when it should report 404
> ------------------------------------------------------------------------
>
> Key: SLING-2236
> URL: https://issues.apache.org/jira/browse/SLING-2236
> Project: Sling
> Issue Type: Bug
> Components: Servlets
> Reporter: Jeff Young
> Priority: Minor
>
> In sling/servlets/post/impl/SlingPostServlet.java's doPost() method, we look
> up the operation (and report an unknown operation) before checking
> privileges. I'd
> like to propose that when the operation is not understood, we first check for
> read access to the resource, and if unsuccessful, report that instead of
> reporting
> "invalid operation".
> Here's the issue: say I define my own POST servlet which supports
> :operation="foo". I set a sling:resourceType so that my POST servlet gets
> invoked. All fine
> and good.
> Now someone without read access to the resource tries to do an
> :operation="foo". Sling can't read the sling:resourceType (no read access),
> and so invokes the
> default POST servlet instead of my custom POST servlet. It looks up
> :operation="foo" and reports "invalid operation" (which is pretty misleading).
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
