5 Aug
2013
5 Aug
'13
6:39 p.m.
I don`t understand. Why not make it the contract of the QueryExecutor that,
if it manages possibly sensitive data, it is in charge of checking rights?
This is how we do it for Solr.
Thanks,
Eduard
On Mon, Aug 5, 2013 at 1:45 PM, Sergiu Dumitriu <sergiu(a)xwiki.com> wrote:
We can add another marker interface,
PrivilegedQueryExecutor or
something like that, which informs that it can execute privileged
queries, so it's up to the query manager to prevent them from running in
an unprivileged environment.
On 08/05/2013 03:16 AM, Thomas Mortagne wrote:
It's not as simple as moving the ifs from
SecureQueryExecutorManager
to each QueryExecutor since the query executors don't know if they
need to check rights.
On Sun, Aug 4, 2013 at 7:34 PM, Eduard Moraru <enygma2002(a)gmail.com>
wrote:
> Hi devs,
>
> It seems that our SecureQueryManager [1] is preventing the execution of
> queries other than XWQL and HQL in the absence of PR.
>
> However, this is not at all a friendly policy when it comes to
extensions.
> An example of where this is causing problems
is Solr queries, where only
> users (well, document authors) with PR can execute them.
>
> As the subject says, I suggest removing this restriction and leaving
rights
> check to be performed in each
QueryExecutor's execute() method.
>
> The associated Jira issue is XWIKI-9386 [2]
>
> Here's my +1.
>
> Thanks,
> Eduard
--
Sergiu Dumitriu
http://purl.org/net/sergiu
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs