Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
Scripting Core 2.4.8
-
None
Description
In order to show the variable bindings, the webconsole plugin introduced with SLING-3543 and then refined with SLING-10147 uses a "trick" and actually invokes Sling via a servlet to get the requested information.
The check in the servlet is only checking if there is a WebConsoleSecurityProvider2 registered - it is not checking whether it is the correct one, nor whether that is actually using Sling authentication.
With new features added to the Sling API we can completely remove that default servlet and let the plugin directly call into Sling. This gives a "correct" check, removes the unneeded default servlet and reduces the dependency on the web console.
Attachments
Issue Links
- links to