Addressing the following ticket did raise some questions:
this ticket has 2 points:
- attribute "acl" is ignored
- default ACL is "public-read" instead of "private"
First one is fixed, that is not the issue, what i'm concern is to change the default ACL from "public-read" to "private". Because this possible affect existing code, not an issue from a security perspective, but still an issue because we make the result of the S3 functionality more restrictive.
In my opinion we should not change the default behaviour within a patch, even ACF acts different in this case (what i did not test yet).
An idea to solve this is the possibility to add the following possibility to the Application.cfc.
this.s3.acl="private"; // sets the default ACL
sure you already can do the following today
What do you think about this?
Should we change the ACL behaviour (in the next patch,minor,major release)?
What you think about the