Hi Radu, On Fri, Jun 22, 2018 at 3:03 PM Radu Cotescu <[email protected]> wrote: > ...So what we could do is to combine the two ideas: > > Have > /sling/operations > resourceType1 > ACLs / CUG [0] > resourceType2 > ACLs / CUG [0] > > And evaluate them similar to the previous algorithm....
So the ACLs/CUG items above would the be names of Principals who can execute that operation? I'm not sure why that indirection is needed: if I want to execute a /sling/capabilities/someCaps operation, I might simply call a Permissions service that adds a a configurable prefix to that path, ends up with (say) /libs/sling/permissions/sling/capabilities/someCaps and if that resource exists and the current user can read it grants the permission. This would work for my use cases and I think it's flexible enough and makes full use of well-know Oak conventions and tools - but maybe I'm missing something that your additional indirection brings? -Bertrand
