COMMENTS

• By Christian Sprecher - 5:18 PM on Apr 11, 2008   Reply

  The transition from static (or copied) to dynamic html is fantastic. You really can imagine sitting together with a customer and his static prototype and making it work. Nice!<br/><br/>I am a little concerned about the filtering of allowed data on the client side: if this data would have been sensitive, it would have been a problem, since first the content is retrieved (with Sling.getContent()) and then the data is filtered. But that is just a security guy's reflex, sorry for that :).<br/><br/>

   
• By Michael Marth - 6:33 PM on Apr 11, 2008   Reply

  Christian,<br/><br/>the data is actually filtered on the server side. The repository will return only the nodes to which to user (in the case of the video: the anonymous user) has access to. The application will not see any other data, hence security concerns are removed from the app developer. This is quite different from typical RDBMS-based web apps where the connection to the db occurs through a technical user so that the application needs to filter rows.<br/><br/>Cheers<br/>Michael

   
• By Richard Metzler - 6:26 AM on Apr 12, 2008   Reply

  Would you do a next screencast on the generation/integration of feeds in a crx-website? I would greatly appreciate that.

   
• By Christian Sprecher - 8:19 AM on Apr 12, 2008   Reply

  Hi Michael<br/><br/>Don't mean to be picky, but if also the "not yet approved" posts would be filtered out on the server side, no <code>if post.approved=="yes"</code> statement would be necessary (at about 12' in the video). This means that the anonymous user should be able to see also the unapproved posts in the http response stream. Perhaps you can check this with firebug. <br/><br/>AFAIK there is no possibility to define an access check on attribute values in JCR. One possibility would be to move the unapproved posts to another location in the tree, which is only accessible by admins.<br/><br/>This is a general issue with ajax-enabled web applications, nothing special to Sling.<br/><br/>Cheers

   
• By Michael Marth - 3:49 PM on Apr 13, 2008   Reply

  Richard,<br/><br/>thanks for your suggestions. Feed generation is really simple (<a href="http://dev.day.com/microsling/content/blogs/main/bloghowto1.html">here is an example</a>), but I am not quite sure what yo mean with feed integration. On the client side? That would be pure JS. Or do you want to write a feed into the repository on the server?<br/><br/>You can also drop me a line (see mail address in the footer)<br/><br/>Cheers<br/>Michael<br/>

   
• By Michael Marth - 4:19 PM on Apr 13, 2008   Reply

  Christian, you are right, of course. The filtering in the screencast does not utilize JCR's security (for brevity of the screencast). I would implement this as you suggest as well: move approved posts to a folder that only admins can write into, but anonymous users can read from.

   
• By Michael Marth - 10:05 AM on Apr 16, 2008   Reply

  Re the WebDAV mount: the WebDAV server can also be mounted from the root (i.e. the URL would be http://localhost:7402/)

   
• By Ben Short - 3:51 PM on Aug 08, 2009   Reply

  Great screen casts. I'd like to see a follow up showing how to only allow access to the admin page to certain users.<br/><br/>Also how would you go about validating fields? Would this be done in client side javascript or can this be done in the JCR?

   
• By Darren - 7:45 PM on Mar 30, 2010   Reply

  What happened to the screencast?

   
• By James - 9:04 AM on Apr 09, 2010   Reply

  Hmmm... there seems to be a broken link somewhere....