AnsweredAssumed Answered

Runas javascript permissions

Question asked by marco.altieri on Aug 3, 2010
I found some posts that talk about the security risks of implementing a "Run As" functionality for the execution of javascripts.
This is the most interesting:

I developed a new action called "Run Script as" that allows the admin to specify the user that will execute the action.
Now I have the possibility to define rules that execute javascripts as admin (it has not to be necessary the admin user, but the user configured with action wizard).
The action does nothing special: just run the javascript inside the RunAs.

    new AuthenticationUtil.RunAsWork<Object>() {
          public Object doWork() throws Exception {
              return completeAction(af, node);

where completeAction executes (after some initializations)

this.serviceRegistry.getScriptService().executeScript(this.scriptLocation, model);

where this.scriptLocation is the "javascript to execute".

Only admin can use this action to create new rules.

I think that it's secure. Isn't it ?