0

I have a field in a cq5 component that I don't want made public. Is there any way to restrict a field so its only available through a jsp call or some other method on the server but not available if you request information from a JSON call?

Ben Newman
  • 33
  • 1
  • 3
  • what is request URL? and also what is the usecase you are trying to achieve by reading properties of this component – Rupesh Oct 14 '13 at 16:53
  • I'm reading the properties of the component to power a javascript component. basically if I have a simple component with 2 text fields, publicText and privateText and I drop it on a page I can request information with a URL like this: – Ben Newman Oct 14 '13 at 18:06
  • localhost:8080/content/test/jcr:content/par/test/pr_par_1358357006352.json.3.json and get something like this back `{ "jcr:lastModifiedBy": "admin", "sling:resourceType": "dev/components/test", "publicText": "foo", "privateText": "bar", "jcr:lastModified": "Tue Apr 02 2013 10:40:40 GMT-0700", "jcr:primaryType": "nt:unstructured", }` I want to make it so the privateText field is unavailable but the publicText field is – Ben Newman Oct 14 '13 at 18:07

1 Answers1

1

One method may be to create the private field on a child node of the node that has the public field. Then use user permissions to restrict the access to that child node. In the server side code you'd need to access it via an account that has permission to read it.

Another option may be to encrypt the private value so that even though it is viewable via the .json url, it is meaningless. The server side code would have the key to decrypt it so it would be usable there.

I don't think you can set permissions on properties in CRX--I believe the security model applies the permissions only at the node level. Per the JCR specification:

16.3.9 Access to Properties

Access to a property is controlled by the effective access control policies of its parent node.

Shawn
  • 8,374
  • 5
  • 37
  • 60
  • If you want to encrypt values, note that recent versions of CQ include a CryptoSupport service, see http://dev.day.com/docs/en/cq/current/javadoc/com/adobe/granite/crypto/CryptoSupport.html – Bertrand Delacretaz Oct 18 '13 at 07:10