as discussed before it it would be generally preferable to perform event-based with the original subject that triggered the event instead of using a clone of the privileged session that was used to register the event listener.
using the original subject (instead of just using the privileged session) will ultimately always results in the same piece of code which consists of
- SlingRepository.loginService or SlingRepository.loginAdministrative followed by
- Session.impersonate to obtain a session associated with the original subject
- Session.logout for the privileged session
- Session.logout for the impersonated session
To ease the usage of the original subject, which usually would be preferable from a security point of view, I would like to suggest to introduce SlingRepository.impersonateFromService, which not only reduced the total amount of code to be written but also helped developers to move away from using loginAdministrative. Furthermore an implementation may also take advantage of implementation details and avoid the duplicate authentication altogether.
Initial proposal of the API extension -> see attached patch