[
https://issues.apache.org/jira/browse/SLING-3458?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13939697#comment-13939697
]
Mike Müller commented on SLING-3458:
------------------------------------
The issue I described in [1], can be solved by SLING-3462.
But you're patch addresses another issue:
The question is how should ResourceAccessSecurity behave if for a resource from
a provider with the useResourceAccessSecurity flag set matches registered
ResourceAccessGates for provider and application context. Should they logically
"ANDed" or "ORed". By now the behavour is inconsistent: It will be "ORed" if
the provider context does not deny the access, otherwise "ANDed".
I think AND woould be more secure and therefore less errorprone.
I will check your Patch and maybe add some more Tests for this case.
[1] http://markmail.org/message/b2ksm2f3lox6l6vh
> Restrictions imposed by ProviderResourceAccessSecurity should not be
> discarded by ApplicationResourceAccessSecurity
> -------------------------------------------------------------------------------------------------------------------
>
> Key: SLING-3458
> URL: https://issues.apache.org/jira/browse/SLING-3458
> Project: Sling
> Issue Type: Bug
> Components: ResourceResolver
> Reporter: Marius Petria
> Attachments: SLING-3458.patch
>
>
> Restrictions imposed by ProviderResourceAccessSecurity should not be
> discarded by ApplicationResourceAccessSecurity.
> More specifically if ProviderResourceAccessSecurity wrapps the original
> resource to protect it against modification then any additional
> transformations made by ApplicationResourceAccessSecurity should use the
> wrapped resource.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
