Hi Lars, On Thu, May 15, 2014 at 10:19 AM, Lars Krapf <lkr...@adobe.com> wrote: > ...In other examples, for instance a job > that processes an asset, the job should be performed with the privileges > of the triggering user, to limit the possibilities of an potential exploit....
If JCR nodes could belong to a specific user, like unix files do, it might make sense to run such jobs with the identity of the user owner. Unfortunately AFAIK JCR doesn't have a concept of user/group owner for nodes, and implementing that securely at the application level doesn't look easy. I'd be happy to be proven wrong on this, though. -Bertrand
