Default POST servlet reports invalid operation when it should report 404
------------------------------------------------------------------------
Key: SLING-2236
URL: https://issues.apache.org/jira/browse/SLING-2236
Project: Sling
Issue Type: Bug
Components: Servlets
Reporter: Jeff Young
In sling/servlets/post/impl/SlingPostServlet.java's doPost() method, we look up
the operation (and report an unknown operation) before checking privileges.
I'd
like to propose that when the operation is not understood, we first check for
read access to the resource, and if unsuccessful, report that instead of
reporting
"invalid operation".
Here's the issue: say I define my own POST servlet which supports
:operation="foo". I set a sling:resourceType so that my POST servlet gets
invoked. All fine
and good.
Now someone without read access to the resource tries to do an
:operation="foo". Sling can't read the sling:resourceType (no read access),
and so invokes the
default POST servlet instead of my custom POST servlet. It looks up
:operation="foo" and reports "invalid operation" (which is pretty misleading).
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
