You mean that there is no way we could make functional tests work if I need
to check the user password, since this should require PR? Should we give up
this password verification then ?
On Mon, Apr 29, 2013 at 1:34 PM, Sergiu Dumitriu <sergiu(a)xwiki.com> wrote:
On 04/29/2013 06:22 AM, Thomas Delafosse wrote:
Hi,
Thanks for the piece of advice. Since I need access to the context
and
would like to be able to put some warning in the
logs if an error occurs
while checking the password, I think I would put the method in
com.xpn.xwiki.api.User rather than in XWikiUser. But of course I would
check for the Programming Rights to avoid Brute force.
This won't solve the failing tests problem, since they fail because we
don't have an Admin account with programming rights.
Thanks,
Thomas
On Thu, Apr 25, 2013 at 5:02 PM, Vincent Massol <vincent(a)massol.net>
wrote:
> Hi,
>
> On Apr 25, 2013, at 12:15 AM, Denis Gervalle <dgl(a)softec.lu> wrote:
>
>> On Wed, Apr 24, 2013 at 3:38 PM, Thomas Delafosse <
>> thomas.delafosse(a)xwiki.com> wrote:
>>
>>> Hello all,
>>>
>>> I've been working on some improvements on user changing password
(see
>>> XWiki-6882). In particular, I tried
to make mandatory, for an user
> wanting
>>> to change his password, to submit also his current password, so that I
>>> could check it.
>>> The problem is that there is no way to make this check through
> velocity. I
>>> tried to use some groovy instead, but it breaks the functional tests.
> So I
>>> need to introduce a new method "checkPassword" accessible from
velocity
>>> scripts. The question is, where
should I implement it ?
>>> There are two possibilities
>>> 1) Wrote a new component
>>> 2) Add this method in an existing API.
>>> I don't really like 1), as I feel it would be strange to introduce a
new
>>> service with only one method.
>>> In the meanwhile, for 2), I don't really know in which API this method
>>> could fit. Sergiu told me that I could perhaps put it in
>>> com.xpn.xwiki.plugin.rightsmanager.RightsManagerPluginApi,
>>> but that it wasn't really good either. Any ideas ?
>>>
>>
>> IMO, you should use an existing API that will be deprecated as soon as
we
>> have a real security authentication
module. However, I not think
>> com.xpn.xwiki.plugin.rightsmanager.RightsManagerPluginApi to be the
right
>> place, I would see it more in
com.xpn.xwiki.user.api.XWikiUser, with
>> the advantage that reaching it will require PR (preventing brute force
>> attack).
>>
>> In the new authentication module, the abstraction should be really
>> improved, allowing to change the password outside of the XWiki as well,
> if
>> the authentication backend support such feature. The notion of password
>> will need to be abstracted as well, since there is more then just
> password
>> for authentication. So, this will surely be another story, and it is
>> not foreseeable now.
>
> I agree with Denis here. Regarding the location in the existing code, I
> don't have any strong opinion.
>
> Thanks
> -Vincent
--
Sergiu Dumitriu
http://purl.org/net/sergiu
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs