[
https://issues.apache.org/jira/browse/SLING-3203?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13949279#comment-13949279
]
Rob Ryan commented on SLING-3203:
---------------------------------
In the case an :applyTo is provided isn't this check too draconian?
Forbidding selectors on the sling post servlet ignores that filters and
security checks might wish to use selectors to enforce security in front of the
sling post servlet.
> Post servlet's delete operation deletes parent of nonexisting node
> ------------------------------------------------------------------
>
> Key: SLING-3203
> URL: https://issues.apache.org/jira/browse/SLING-3203
> Project: Sling
> Issue Type: Bug
> Components: Servlets
> Affects Versions: Servlets Post 2.3.2
> Reporter: Bertrand Delacretaz
> Assignee: Bertrand Delacretaz
> Fix For: Servlets Post 2.3.4
>
> Attachments: SLING-3203.patch
>
>
> In the below scenario, /tmp/test is gone after the delete operation - the
> resource resolver goes up the path of the nonexisting node, and it's
> /tmp/test that's provided to the DeleteOperation.
> I think we should change this (maybe with a backwards compatibility switch),
> as it's clear that the user's intention in this case is not to delete
> /tmp/test. Maybe just reject :delete operations if the request has any
> selector or extensions.
> curl -u admin:admin -X POST http://localhost:8080/tmp/test/some.node
> curl -u admin:admin http://localhost:8080/tmp/test.tidy.2.json # looks good
> curl -u admin:admin -F:operation=delete
> http://localhost:8080/tmp/test.other/nothing
> curl -u admin:admin http://localhost:8080/tmp/test.tidy.2.json # 404
--
This message was sent by Atlassian JIRA
(v6.2#6252)
