Recently we had our security tests in the platform, where one finding raised critical was the request sent to /content/dam/.permissions.json?privileges= jcr%3AmodifyAccessControl under cross site scripting tampering the request to execute script.
now the question, will there be any impact in author if I block .permissions.json/* requests in dispatcher ? does it affect any functionalities ?
There will be other areas that are not used by Content Authors affected too.
One major area, can immedeately see, would be permission/user/group management tool, useradmin, it would completely stop displaying all permissions for specific user/group.
When you will click on "Create Folder" button in Touch UI Assets broweser, you won't see the checkbox option that say "private", it simply won't be there, due to the fact that AEM could not retieve requests value and due to this it won't be shown.
Please note, have used AEM 6.4 SP2 to get this info.
is that the only functionality that affects if I block, rest all will work as expected ? there wont be any issues with user permissions or for authors ?
There will be other areas that are not used by Content Authors affected too.
One major area, can immedeately see, would be permission/user/group management tool, useradmin, it would completely stop displaying all permissions for specific user/group.
