[ https://issues.apache.org/jira/browse/SLING-2236?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13191227#comment-13191227 ]
Jeff Young commented on SLING-2236: ----------------------------------- Hi Justin, In my first example, if I use a -known- operation on a non-readable resource, then the servlet -will- return a 404. It's true that different operations may have different -specific- access requirements. But they should only handle those -after- checking for basic read access. To do anything else risks information leakage. So, yes, I like your precondition idea, but there's only one, and it's invariant: do we at least have read-access? If not, return a 404. Don't give the caller -any- other information. > Default POST servlet reports invalid operation when it should report 404 > ------------------------------------------------------------------------ > > Key: SLING-2236 > URL: https://issues.apache.org/jira/browse/SLING-2236 > Project: Sling > Issue Type: Bug > Components: Servlets > Reporter: Jeff Young > Priority: Minor > > In sling/servlets/post/impl/SlingPostServlet.java's doPost() method, we look > up the operation (and report an unknown operation) before checking > privileges. I'd > like to propose that when the operation is not understood, we first check for > read access to the resource, and if unsuccessful, report that instead of > reporting > "invalid operation". > Here's the issue: say I define my own POST servlet which supports > :operation="foo". I set a sling:resourceType so that my POST servlet gets > invoked. All fine > and good. > Now someone without read access to the resource tries to do an > :operation="foo". Sling can't read the sling:resourceType (no read access), > and so invokes the > default POST servlet instead of my custom POST servlet. It looks up > :operation="foo" and reports "invalid operation" (which is pretty misleading). -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira