Thanks for your answer Eric!
After thinking about it in a quite minute I recognized that the user can
still use curl to display, modify,... content the same way as the
script. And at the end these actions are denied or allowed by the
privileges on the content.
But your hint about the PrivilegesInfo comes handy when some HTML
element needs to be disabled upfront to show the user that he will not
be allowed to take the action.
Best,
Sandro
Am 17.09.12 03:20, schrieb Eric Norman:
I usually just do my own access check inside each script that is updating
something using the PrivilegesInfo class (see [1]).
For example, something like this:
<%
var privilegesInfo = new
Packages.org.apache.sling.jcr.jackrabbit.accessmanager.PrivilegesInfo();
if (!privilegesInfo.canModifyProperties(currentNode)) {
//not allowed, so respond that this page doesn't exist for the
current user
response.sendError(404);
} else {
%>
TODO: render your page here.
<%
} /* end else */
%>
1.
http://sling.apache.org/apidocs/sling6/org/apache/sling/jcr/jackrabbit/accessmanager/PrivilegesInfo.html
On Sun, Sep 16, 2012 at 11:41 AM, Sandro Boehme <[email protected]>wrote:
Hello,
I understand that I can deny jcr:all for /apps and also for a script path
that is mounted from a bundle via
<Sling-Initial-Content>folder/**in/bundle;overwrite:=true;**
path:=/folder/in/resource/**tree</Sling-Initial-Content>
. After that the user will not see the scripts anymore. But if they are
called to render a resource they are still executed. Is there a way to have
something like jcr:execute to specify which user are allowed to execute the
scripts?
Best,
Sandro
