16 Sep
2009
16 Sep
'09
12:15 p.m.
Note: after further discussions it appears that setting the author in
our XAR is not the solution (it must not be set in exports that aren't
backup exports).
I'm only going to modify the author that is set when classes are
created programmatically.
On Wed, Sep 16, 2009 at 12:13 PM, Jean-Vincent Drean <jv(a)xwiki.com> wrote:
On Tue, Sep 15, 2009 at 4:18 PM, Jean-Vincent Drean
<jv(a)xwiki.com> wrote:
Hi devs,
I'm currently working on documents we create from core/plugins or
those we bundle in XARs (xwiki/2.0 conversion, filling title field,
etc).
I'd like to take advantage of this to discuss about the author we use
in those documents. We currently have 2 different behaviors:
- classes created from the core usually have their author set to ""
- classes created from plugins (skinx, scheduler, etc) or bundled in
our XARs usually have their author set to "XWiki.Admin"
It lacks consistency and it can lead to security issues. If for some
reason the administrator of a wiki decide to delete the XWiki.Admin
account some can re-create it and gain the authorship -- thus the
right to delete -- plenty of XE documents.
We can decide to:
1) Only tackle the consistency problem and use "XWiki.Admin" everywhere
2) Solve the 2 problems by extending core policy to all our documents,
ie. use "" everywhere
3) Solve the 2 problems by using a special username everywhere, like "System".
Here's my +1 for 3), rationale:
- 1) is only a quick fix and core shouldn't be aware of a user that
comes with XE,
- 2) is fine except that not having an author seems unnatural from a user POV.
- In the future we could decide to have special handler for the
"System" user, like pointing to a page explaining that it is a
pseudo-user when we use $xwiki.getLocalUserName("System").
JV.
I'm going to apply 3) with the author superadmin today, shout if you
realize that it was a bad idea.
Thanks,
JV.