kwin
commented
3 days ago @YegorKozlov Any idea why we still ran into #3284? Was the aforementioned access control entry not enough (even the service user should inherit from everyone)...
Update: Nevermind, found that redirects are stored below settings/redirects which is not covered by any of the rep:subtrees from above!.
The repoinit script from https://github.com/Adobe-Consulting-Services/acs-aem-commons/blob/master/all/src/main/content/jcr_root/apps/acs-commons/config/org.apache.sling.jcr.repoinit.RepositoryInitializer-acs-commons-all.config grants
jcr:readin/confto several system users. That is redundant as AEM 6.5 and AEMaaCS ship with the following default permissions foreveryone:allow jcr:read on /conf with restrictions: [rep:subtrees: '/global/site-templates/,/settings/wcm/,/sling:configs/,/settings/dam/cfm/models/,/settings/graphql/persistentQueries' ]