From 5bdaabe8652ee19d848974389ad24a779dbb5a3e Mon Sep 17 00:00:00 2001 From: Barry d'Hoine Date: Thu, 28 Sep 2023 22:54:24 +0200 Subject: [PATCH] Limit permissions of service user and update docs for security --- CHANGELOG.md | 4 + README.md | 185 ++---------------- all/pom.xml | 2 +- api/pom.xml | 2 +- bundle/pom.xml | 2 +- .../impl/DefaultConfigurationService.groovy | 2 +- docs/configuration.md | 18 ++ docs/execution.md | 34 ++++ docs/extension.md | 33 ++++ docs/installation.md | 83 ++++++++ groovy/groovy-osgi/pom.xml | 2 +- groovy/pom.xml | 2 +- pom.xml | 2 +- ui.apps.aem/pom.xml | 2 +- ui.apps.structure/pom.xml | 2 +- ui.apps/pom.xml | 2 +- ui.config/pom.xml | 2 +- ...RepositoryInitializer-groovyconsole.config | 6 +- ui.content/pom.xml | 2 +- 19 files changed, 207 insertions(+), 180 deletions(-) create mode 100644 docs/configuration.md create mode 100644 docs/execution.md create mode 100644 docs/extension.md create mode 100644 docs/installation.md diff --git a/CHANGELOG.md b/CHANGELOG.md index 48e00554..3b00afd1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +### Changed + +- Permissions for the `aem-groovy-console-service` service user are limited to save scripts and read user groups, if distributed or scheduled execution is enabled you need to add extra permissions: [#46](https://github.com/orbinson/aem-groovy-console/issues/46) + ## [19.0.4] - 2023-08-14 ### Added diff --git a/README.md b/README.md index 592f5eba..a5a44a96 100644 --- a/README.md +++ b/README.md @@ -3,25 +3,21 @@ [![Build and test for AEM 6.5](https://github.com/orbinson/aem-groovy-console/actions/workflows/build.yml/badge.svg)](https://github.com/orbinson/aem-groovy-console/actions/workflows/build.yml) [![Build with AEM IDE](https://img.shields.io/badge/Built%20with-AEM%20IDE-orange)](https://plugins.jetbrains.com/plugin/9269-aem-ide) - # AEM Groovy Console -> [!IMPORTANT] -> Currently Adobe Managed Services is not allowing AEM Groovy Console to be installed on production publish environments for security reasons. We are taking actions in order to get it accepted. - -## Overview +> Adobe Managed Services is not allowing AEM Groovy Console to be installed currently on production publish environments for security reasons. We are taking actions in order to get it accepted. The AEM Groovy Console provides an interface for running [Groovy](https://www.groovy-lang.org) scripts in Adobe Experience Manager. Scripts can be created to manipulate content in the JCR, call OSGi services, or execute arbitrary code using the AEM, Sling, or JCR APIs. After installing the package in AEM (instructions below), see -the [console page](http://localhost:4502/groovyconsole) for documentation on the available bindings and methods. Sample -scripts are included in the package for reference. +the [console page](http://localhost:4502/groovyconsole) for documentation on the available bindings and methods. [Sample +scripts](ui.content/src/main/content/jcr_root/conf/groovyconsole/scripts/samples) are included in the package for reference. ![Screenshot](docs/assets/screenshot.png) ## Compatibility -AEM Groovy Console 19.0.1+ runs on Java 8 and 11 with an embedded Groovy version of 4.0.9 +AEM Groovy Console `19.0.1+` runs on Java `8` and `11` with an embedded Groovy version of `4.0.9`. Supported versions: @@ -29,177 +25,36 @@ Supported versions: * AEM as a Cloud Service: `>= 2022.11` * Sling: `>=12` -To install the AEM Groovy Console on older AEM versions check the original -project [aem-groovy-console](https://github.com/CID15/aem-groovy-console) - -## Installation - -### Manual +Consult the [installation](docs/installation.md) documentation how you can start using the AEM Groovy Console. -1. Download the - console [aem-groovy-console-all](https://github.com/orbinson/aem-groovy-console/releases/download/19.0.3/aem-groovy-console-all-19.0.3.zip) - content package and install with [PackMgr](http://localhost:4502/crx/packmgr). For previous versions you can search - on the [Maven Central repository](https://search.maven.org/search?q=a:aem-groovy-console). - -2. Navigate to the [groovyconsole](http://localhost:4502/groovyconsole) page. - -### Maven profiles +To install the AEM Groovy Console on older AEM versions check the original +project [aem-groovy-console](https://github.com/CID15/aem-groovy-console). -Maven profiles can be used to install the bundles to AEM / Sling +## Usage -* AEM Author running on localhost:4502 - * api, bundle, ui.apps, ui.apps.aem, ui.config, ui.content: `-P auto-deploy` - * all: `-P auto-deploy-single-package,aem` -* AEM Publish running on localhost:4503 - * api, bundle, ui.apps, ui.apps.aem, ui.config, ui.content: `-P auto-deploy,publish` - * all: `-P auto-deploy-single-package,aem,publish` -* Sling running on localhost:8080 - * api, bundle, ui.apps, ui.apps.aem, ui.config, ui.content: `-P auto-deploy,sling` - * all: `-P auto-deploy-single-package,sling` +There are several ways to [execute](docs/execution.md) Groovy scripts. The AEM Groovy Console also comes with a lot of [configuration](docs/configuration.md) options. If you want to extend the AEM Groovy Console consult the [extension](docs/extension.md) documentation for extension hooks, registering additional metaclasses and how to add notifications. -### Embedded package +## Security -To deploy the Groovy Console as an embedded package you need to update your `pom.xml` +When executing Groovy Scripts using the AEM Groovy Console web interface or with HTTP requests all bindings and methods will run in the context of the request. This means the user used to authenticate needs to have sufficient permissions to execute the content of the scripts. -1. Add the `aem-groovy-console-all` to the `` section +The `aem-groovy-console-service` [service user](ui.config/src/main/content/jcr_root/apps/groovyconsole-config/osgiconfig/config/org.apache.sling.jcr.repoinit.RepositoryInitializer-groovyconsole.config) is used to save scripts to the default location and to create audit records. - ```xml - - be.orbinson.aem - aem-groovy-console-all - 19.0.3 - zip - - ``` -2. Embed the package in with - the [filevault-package-maven-plugin](https://jackrabbit.apache.org/filevault-package-maven-plugin/) in - the `` section +In order to run distributed scripts or create scheduled jobs, which is disabled by default, you need [configure](docs/configuration.md) specific user groups to allow script execution and add permissions for the `aem-groovy-console-service`. - ```xml - - be.orbinson.aem - aem-groovy-console-all - /apps/vendor-packages/content/install - - ``` +If you need access to the repository for scheduled or distributed execution you need to configure extra permissions on the service user. -### AEM Dispatcher +If you want to use distributed execution make sure to add replication permissions on `/conf/groovyconsole/replication` and to add extra permissions for the service user. -If you need to have the Groovy Console available through the dispatcher on a publish instance you can add the filters -following configuration. +An example of a RepoInit script to achieve this would be ```text -# Allow Groovy Console page -/001 { - /type "allow" - /url "/groovyconsole" -} -/002 { - /type "allow" - /url "/apps/groovyconsole.html" -} - -# Allow servlets -/003 { - /type "allow" - /path "/bin/groovyconsole/*" -} -``` - -## Building From Source - -To build and install the latest development version of the Groovy Console to use in AEM (or if you've made source -modifications), run -the following Maven command. - -```shell -mvn clean install -P autoInstallSinglePackage -``` - -## OSGi Configuration - -To check the OSGi configuration navigate to -the [Groovy Console Configuration Service](http://localhost:4502/system/console/configMgr/be.orbinson.aem.groovy.console.configuration.impl.DefaultConfigurationService) -OSGi configuration page. - -| Property | Description | Default Value | -|---------------------------------|-----------------------------------------------------------------------------------------------------------------------------------|---------------| -| Email Enabled? | Check to enable email notification on completion of script execution. | `false` | -| Email Recipients | Email addresses to receive notification. | `[]` | -| Script Execution Allowed Groups | List of group names that are authorized to use the console. By default, only the 'admin' user has permission to execute scripts. | `[]` | -| Scheduled Jobs Allowed Groups | List of group names that are authorized to schedule jobs. By default, only the 'admin' user has permission to schedule jobs. | `[]` | -| Audit Disabled? | Disables auditing of script execution history. | `false` | -| Display All Audit Records? | If enabled, all audit records (including records for other users) will be displayed in the console history. | `false` | -| Thread Timeout | Time in seconds that scripts are allowed to execute before being interrupted. If 0, no timeout is enforced. | 0 | -| Distributed execution enabled? | If enabled, a script will be able to be replicated from an author and executed on all default replication agents. | `false` | - -## Batch script execution - -Saved scripts can be remotely executed by sending a POST request to the console servlet with either the `scriptPath` -or `scriptPaths` query parameter. - -### Single script - -```shell -curl -d "scriptPath=/conf/groovyconsole/scripts/samples/JcrSearch.groovy" -X POST -u admin:admin http://localhost:4502/bin/groovyconsole/post.json -``` - -### Multiple scripts - -```shell -curl -d "scriptPaths=/conf/groovyconsole/scripts/samples/JcrSearch.groovy&scriptPaths=/conf/groovyconsole/scripts/samples/FulltextQuery.groovy" -X POST -u admin:admin http://localhost:4502/bin/groovyconsole/post.json +set ACL for aem-groovy-console-service + allow jcr:all,crx:replicate on /conf/groovyconsole/replication + allow jcr:all /content +end ``` -## Extensions - -The Groovy Console provides extension hooks to further customize script execution. The console provides an API -containing extension provider interfaces that can be implemented as OSGi services in any bundle deployed to an AEM -instance. See the default extension providers in the `be.orbinson.aem.groovy.console.extension.impl` package for -examples of how a bundle can implement these services to supply additional script bindings, compilation customizers, -metaclasses, and star imports. - -| Service Interface | Description | -|-----------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------| -| `be.orbinson.aem.groovy.console.api.BindingExtensionProvider` | Customize the bindings that are provided for each script execution. | -| `be.orbinson.aem.groovy.console.api.CompilationCustomizerExtensionProvider` | Restrict language features (via blacklist or whitelist) or provide AST transformations within the Groovy script compilation. | -| `be.orbinson.aem.groovy.console.api.ScriptMetaClassExtensionProvider` | Add runtime metaclasses (i.e. new methods) to the underlying script class. | -| `be.orbinson.aem.groovy.console.api.StarImportExtensionProvider` | Supply additional star imports that are added to the compiler configuration for each script execution. | - -## Registering Additional Metaclasses - -Services implementing the `be.orbinson.aem.groovy.console.extension.MetaClassExtensionProvider` will be automatically -discovered and bound by the OSGi container. These services can be implemented in any deployed bundle. The AEM Groovy -Extension bundle will handle the registration and removal of supplied metaclasses as these services are -activated/deactivated in the container. See the `DefaultMetaClassExtensionProvider` service for the proper closure -syntax for registering metaclasses. - -## Notifications - -To provide custom notifications for script executions, bundles may implement -the `be.orbinson.aem.groovy.console.notification.NotificationService` interface (see -the `be.orbinson.aem.groovy.console.notification.impl.EmailNotificationService` class for an example). These services -will -be dynamically bound by the Groovy Console service and all registered notification services will be called for each -script execution. - -## Scheduler - -The Scheduler allows for immediate (asynchronous) or Cron-based script execution. Scripts are executed -as [Sling Jobs](https://sling.apache.org/documentation/bundles/apache-sling-eventing-and-job-handling.html) and are -audited in the same manner as scripts executed in the console. - -### Scheduled Job Event Handling - -Bundles may implement services -extending `be.orbinson.aem.groovy.console.job.event.AbstractGroovyConsoleScheduledJobEventHandler` to provide -additional post-processing or notifications for completed Groovy Console jobs. -See `be.orbinson.aem.groovy.console.job.event.DefaultGroovyConsoleEmailNotificationEventHandler` for an example of the -required annotations to register a custom event handler. - -## Sample Scripts - -Sample scripts can be found in the [samples](src/main/content/jcr_root/conf/groovyconsole/scripts/samples) directory. - ## Kudos Kudos to [ICF Next](https://github.com/icfnext/aem-groovy-console) diff --git a/all/pom.xml b/all/pom.xml index c362595a..58a3d98b 100644 --- a/all/pom.xml +++ b/all/pom.xml @@ -6,7 +6,7 @@ be.orbinson.aem aem-groovy-console - 19.0.5-SNAPSHOT + 20.0.0-SNAPSHOT aem-groovy-console-all diff --git a/api/pom.xml b/api/pom.xml index 09c24d4c..106e16ac 100644 --- a/api/pom.xml +++ b/api/pom.xml @@ -8,7 +8,7 @@ be.orbinson.aem aem-groovy-console - 19.0.5-SNAPSHOT + 20.0.0-SNAPSHOT aem-groovy-console-api diff --git a/bundle/pom.xml b/bundle/pom.xml index ddf3ccd4..c3a3d50f 100644 --- a/bundle/pom.xml +++ b/bundle/pom.xml @@ -8,7 +8,7 @@ be.orbinson.aem aem-groovy-console - 19.0.5-SNAPSHOT + 20.0.0-SNAPSHOT aem-groovy-console-bundle diff --git a/bundle/src/main/groovy/be/orbinson/aem/groovy/console/configuration/impl/DefaultConfigurationService.groovy b/bundle/src/main/groovy/be/orbinson/aem/groovy/console/configuration/impl/DefaultConfigurationService.groovy index 1f225fa8..7fdb6968 100755 --- a/bundle/src/main/groovy/be/orbinson/aem/groovy/console/configuration/impl/DefaultConfigurationService.groovy +++ b/bundle/src/main/groovy/be/orbinson/aem/groovy/console/configuration/impl/DefaultConfigurationService.groovy @@ -106,7 +106,7 @@ class DefaultConfigurationService implements ConfigurationService { resourceResolverFactory.getServiceResourceResolver(null).withCloseable { resourceResolver -> def userManager = resourceResolver.adaptTo(UserManager); if (userManager != null) { - def user = resourceResolver.adaptTo(UserManager).getAuthorizable(request.userPrincipal) as User + def user = userManager.getAuthorizable(request.userPrincipal) as User def memberOfGroupIds = user.memberOf()*.ID LOG.debug("member of group IDs : {}, allowed group IDs : {}", memberOfGroupIds, groupIds) diff --git a/docs/configuration.md b/docs/configuration.md new file mode 100644 index 00000000..3380d676 --- /dev/null +++ b/docs/configuration.md @@ -0,0 +1,18 @@ +# Configuration + +To check the OSGi configuration navigate to +the [Groovy Console Configuration Service](http://localhost:4502/system/console/configMgr/be.orbinson.aem.groovy.console.configuration.impl.DefaultConfigurationService) +OSGi configuration page. + +The following configuration properties are available: + +| Property | Description | Default Value | +|---------------------------------|-----------------------------------------------------------------------------------------------------------------------------------|---------------| +| Email Enabled? | Check to enable email notification on completion of script execution. | `false` | +| Email Recipients | Email addresses to receive notification. | `[]` | +| Script Execution Allowed Groups | List of group names that are authorized to use the console. By default, only the 'admin' user has permission to execute scripts. | `[]` | +| Scheduled Jobs Allowed Groups | List of group names that are authorized to schedule jobs. By default, only the 'admin' user has permission to schedule jobs. | `[]` | +| Audit Disabled? | Disables auditing of script execution history. | `false` | +| Display All Audit Records? | If enabled, all audit records (including records for other users) will be displayed in the console history. | `false` | +| Thread Timeout | Time in seconds that scripts are allowed to execute before being interrupted. If 0, no timeout is enforced. | 0 | +| Distributed execution enabled? | If enabled, a script will be able to be replicated from an author and executed on all default replication agents. | `false` | diff --git a/docs/execution.md b/docs/execution.md new file mode 100644 index 00000000..ba59a007 --- /dev/null +++ b/docs/execution.md @@ -0,0 +1,34 @@ +# Execution + +There are a various way to run Groovy scripts with the AEM Groovy Console. + +## Batch script execution + +Saved scripts can be remotely executed by sending a POST request to the console servlet with either the `scriptPath` +or `scriptPaths` query parameter. + +### Single script + +```shell +curl -d "scriptPath=/conf/groovyconsole/scripts/samples/JcrSearch.groovy" -X POST -u admin:admin http://localhost:4502/bin/groovyconsole/post.json +``` + +### Multiple scripts + +```shell +curl -d "scriptPaths=/conf/groovyconsole/scripts/samples/JcrSearch.groovy&scriptPaths=/conf/groovyconsole/scripts/samples/FulltextQuery.groovy" -X POST -u admin:admin http://localhost:4502/bin/groovyconsole/post.json +``` + +## Scheduler + +The Scheduler allows for immediate (asynchronous) or Cron-based script execution. Scripts are executed +as [Sling Jobs](https://sling.apache.org/documentation/bundles/apache-sling-eventing-and-job-handling.html) and are +audited in the same manner as scripts executed in the console. + +### Scheduled Job Event Handling + +Bundles may implement services +extending `be.orbinson.aem.groovy.console.job.event.AbstractGroovyConsoleScheduledJobEventHandler` to provide +additional post-processing or notifications for completed Groovy Console jobs. +See `be.orbinson.aem.groovy.console.job.event.DefaultGroovyConsoleEmailNotificationEventHandler` for an example of the +required annotations to register a custom event handler. diff --git a/docs/extension.md b/docs/extension.md new file mode 100644 index 00000000..67f6ecf3 --- /dev/null +++ b/docs/extension.md @@ -0,0 +1,33 @@ +# Extensions + +## Extension Hooks + +The Groovy Console provides extension hooks to further customize script execution. The console provides an API +containing extension provider interfaces that can be implemented as OSGi services in any bundle deployed to an AEM +instance. See the default extension providers in the `be.orbinson.aem.groovy.console.extension.impl` package for +examples of how a bundle can implement these services to supply additional script bindings, compilation customizers, +metaclasses, and star imports. + +| Service Interface | Description | +|-----------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------| +| `be.orbinson.aem.groovy.console.api.BindingExtensionProvider` | Customize the bindings that are provided for each script execution. | +| `be.orbinson.aem.groovy.console.api.CompilationCustomizerExtensionProvider` | Restrict language features (via blacklist or whitelist) or provide AST transformations within the Groovy script compilation. | +| `be.orbinson.aem.groovy.console.api.ScriptMetaClassExtensionProvider` | Add runtime metaclasses (i.e. new methods) to the underlying script class. | +| `be.orbinson.aem.groovy.console.api.StarImportExtensionProvider` | Supply additional star imports that are added to the compiler configuration for each script execution. | + +## Registering Additional Metaclasses + +Services implementing the `be.orbinson.aem.groovy.console.extension.MetaClassExtensionProvider` will be automatically +discovered and bound by the OSGi container. These services can be implemented in any deployed bundle. The AEM Groovy +Extension bundle will handle the registration and removal of supplied metaclasses as these services are +activated/deactivated in the container. See the `DefaultMetaClassExtensionProvider` service for the proper closure +syntax for registering metaclasses. + +## Notifications + +To provide custom notifications for script executions, bundles may implement +the `be.orbinson.aem.groovy.console.notification.NotificationService` interface (see +the `be.orbinson.aem.groovy.console.notification.impl.EmailNotificationService` class for an example). These services +will +be dynamically bound by the Groovy Console service and all registered notification services will be called for each +script execution. diff --git a/docs/installation.md b/docs/installation.md new file mode 100644 index 00000000..18edf031 --- /dev/null +++ b/docs/installation.md @@ -0,0 +1,83 @@ +# Installation + +## Manual + +1. Download the + console [aem-groovy-console-all](https://github.com/orbinson/aem-groovy-console/releases/download/19.0.3/aem-groovy-console-all-19.0.3.zip) + content package and install with [PackMgr](http://localhost:4502/crx/packmgr). For previous versions you can search + on the [Maven Central repository](https://search.maven.org/search?q=a:aem-groovy-console). + +2. Navigate to the [groovyconsole](http://localhost:4502/groovyconsole) page. + +## Embedded package + +To deploy the Groovy Console as an embedded package you need to update your `pom.xml` + +1. Add the `aem-groovy-console-all` to the `` section + + ```xml + + be.orbinson.aem + aem-groovy-console-all + 19.0.3 + zip + + ``` +2. Embed the package in with + the [filevault-package-maven-plugin](https://jackrabbit.apache.org/filevault-package-maven-plugin/) in + the `` section + + ```xml + + be.orbinson.aem + aem-groovy-console-all + /apps/vendor-packages/content/install + + ``` + +## AEM Dispatcher + +If you need to have the Groovy Console available through the dispatcher on a publish instance you can add the filters +following configuration. + +```text +# Allow Groovy Console page +/001 { + /type "allow" + /url "/groovyconsole" +} +/002 { + /type "allow" + /url "/apps/groovyconsole.html" +} + +# Allow servlets +/003 { + /type "allow" + /path "/bin/groovyconsole/*" +} +``` + +## Building From Source + +To build and install the latest development version of the Groovy Console to use in AEM (or if you've made source +modifications), run +the following Maven command. + +```shell +mvn clean install -P autoInstallSinglePackage +``` + +### Maven profiles + +Maven profiles can be used to install the bundles to AEM / Sling. + +* AEM Author running on http://localhost:4502 + * api, bundle, ui.apps, ui.apps.aem, ui.config, ui.content: `-P auto-deploy` + * all: `-P auto-deploy-single-package,aem` +* AEM Publish running on http://localhost:4503 + * api, bundle, ui.apps, ui.apps.aem, ui.config, ui.content: `-P auto-deploy,publish` + * all: `-P auto-deploy-single-package,aem,publish` +* Sling running on http://localhost:8080 + * api, bundle, ui.apps, ui.apps.aem, ui.config, ui.content: `-P auto-deploy,sling` + * all: `-P auto-deploy-single-package,sling` diff --git a/groovy/groovy-osgi/pom.xml b/groovy/groovy-osgi/pom.xml index b99ceb5e..6317cfa8 100644 --- a/groovy/groovy-osgi/pom.xml +++ b/groovy/groovy-osgi/pom.xml @@ -8,7 +8,7 @@ be.orbinson.aem aem-groovy-console - 19.0.5-SNAPSHOT + 20.0.0-SNAPSHOT ../../pom.xml diff --git a/groovy/pom.xml b/groovy/pom.xml index 339c51c5..5e2b02d2 100644 --- a/groovy/pom.xml +++ b/groovy/pom.xml @@ -8,7 +8,7 @@ be.orbinson.aem aem-groovy-console - 19.0.5-SNAPSHOT + 20.0.0-SNAPSHOT pom diff --git a/pom.xml b/pom.xml index 5ca29aaa..e3df3d25 100644 --- a/pom.xml +++ b/pom.xml @@ -8,7 +8,7 @@ be.orbinson.aem aem-groovy-console pom - 19.0.5-SNAPSHOT + 20.0.0-SNAPSHOT AEM Groovy Console diff --git a/ui.apps.aem/pom.xml b/ui.apps.aem/pom.xml index ab527a82..5647fc1d 100644 --- a/ui.apps.aem/pom.xml +++ b/ui.apps.aem/pom.xml @@ -6,7 +6,7 @@ be.orbinson.aem aem-groovy-console - 19.0.5-SNAPSHOT + 20.0.0-SNAPSHOT aem-groovy-console-ui.apps.aem diff --git a/ui.apps.structure/pom.xml b/ui.apps.structure/pom.xml index c5a6bfcf..ee31015f 100644 --- a/ui.apps.structure/pom.xml +++ b/ui.apps.structure/pom.xml @@ -5,7 +5,7 @@ be.orbinson.aem aem-groovy-console - 19.0.5-SNAPSHOT + 20.0.0-SNAPSHOT aem-groovy-console-ui.apps.structure diff --git a/ui.apps/pom.xml b/ui.apps/pom.xml index 295ff28f..1b2aa653 100644 --- a/ui.apps/pom.xml +++ b/ui.apps/pom.xml @@ -6,7 +6,7 @@ be.orbinson.aem aem-groovy-console - 19.0.5-SNAPSHOT + 20.0.0-SNAPSHOT aem-groovy-console-ui.apps diff --git a/ui.config/pom.xml b/ui.config/pom.xml index 65698aa0..b9c6404c 100644 --- a/ui.config/pom.xml +++ b/ui.config/pom.xml @@ -5,7 +5,7 @@ be.orbinson.aem aem-groovy-console - 19.0.5-SNAPSHOT + 20.0.0-SNAPSHOT aem-groovy-console-ui.config diff --git a/ui.config/src/main/content/jcr_root/apps/groovyconsole-config/osgiconfig/config/org.apache.sling.jcr.repoinit.RepositoryInitializer-groovyconsole.config b/ui.config/src/main/content/jcr_root/apps/groovyconsole-config/osgiconfig/config/org.apache.sling.jcr.repoinit.RepositoryInitializer-groovyconsole.config index 95817846..6cc2ab8b 100644 --- a/ui.config/src/main/content/jcr_root/apps/groovyconsole-config/osgiconfig/config/org.apache.sling.jcr.repoinit.RepositoryInitializer-groovyconsole.config +++ b/ui.config/src/main/content/jcr_root/apps/groovyconsole-config/osgiconfig/config/org.apache.sling.jcr.repoinit.RepositoryInitializer-groovyconsole.config @@ -1,5 +1,4 @@ -scripts=[ -" +scripts=[" create path /conf/groovyconsole/replication(sling:Folder) create path /conf/groovyconsole/scripts(sling:Folder) @@ -7,7 +6,8 @@ create path /var/groovyconsole/audit(nt:unstructured) create service user aem-groovy-console-service with path system/aem-groovy-console set ACL for aem-groovy-console-service - allow jcr:all on / + allow jcr:read on /home/groups + allow jcr:all on /conf/groovyconsole/scripts allow jcr:all on /var/groovyconsole/audit end "] diff --git a/ui.content/pom.xml b/ui.content/pom.xml index 5b5359da..4f0f044f 100644 --- a/ui.content/pom.xml +++ b/ui.content/pom.xml @@ -6,7 +6,7 @@ be.orbinson.aem aem-groovy-console - 19.0.5-SNAPSHOT + 20.0.0-SNAPSHOT aem-groovy-console-ui.content