6 Aug
2013
6 Aug
'13
2:52 p.m.
Hi Vincent,
Will not discuss the delete issue any further given that Sergiu already
answered it.
On 8/6/2013 19:40, Vincent Massol wrote:
That's good to know ! I wasnt
sure everything was versionned.
Great
thanks for the link !
Oky so my best bet is to hack the macro directly and publish my own jar
of it.
Of course one can argue than you can always edit
and leave the page blank but at least the history will be here and the page can be
rollbacked. And it's not as easy as just clicking a delete button.
When you delete a page in xwiki, it will delete everything associated with that page
meaning all the rights, the instances and the classes. Is there an history for all of
thoses ? I am kinda under the impression that only the content of the page is versionned
and can be rollbacked...
And it just does not make sense that anyone who can edit, can touch the rights at all and
to some degree, same goes for the instances. And again, unless I am wrong, you cant
rollback those…
You can rollback anything. In order to secure things I want to hook into the
XWikiRightServiceImpl, but it does not seem to be used.
There's a new security
module since 5.x:
See http://extensions.xwiki.org/xwiki/bin/view/Extension/Security+Module Could you point me to the service that is
responsible for the authorizations/rights ?
Also if you could explain me how I can secure the HtmlMacro without touching its jar that
would be very helpful. From looking around and the discussion, I was under the impression
that it was possible but I just dont know how…
This is a work in progress.
There's a pull request from Thomas Delafosse about this but it's not been applied
yet AFAIK.
BTW if you wish to report security issues and vulnerabilities the best is to use the
security mailing list and not the user or dev list since they're public, see
http://dev.xwiki.org/xwiki/bin/view/Community/MailingLists#HPrivateMailingL…
Good to know, will make sure to report further discovery there.
Thanks
-Vincent
Thanks again !