25 Apr
2013
25 Apr
'13
5:02 p.m.
Hi,
On Apr 25, 2013, at 12:15 AM, Denis Gervalle <dgl(a)softec.lu> wrote:
On Wed, Apr 24, 2013 at 3:38 PM, Thomas Delafosse
<
thomas.delafosse(a)xwiki.com> wrote:
I agree with Denis here. Regarding the location in the existing code, I don't have any
strong opinion.
Thanks
-Vincent
Hello all,
I've been working on some improvements on user changing password (see
XWiki-6882). In particular, I tried to make mandatory, for an user wanting
to change his password, to submit also his current password, so that I
could check it.
The problem is that there is no way to make this check through velocity. I
tried to use some groovy instead, but it breaks the functional tests. So I
need to introduce a new method "checkPassword" accessible from velocity
scripts. The question is, where should I implement it ?
There are two possibilities
1) Wrote a new component
2) Add this method in an existing API.
I don't really like 1), as I feel it would be strange to introduce a new
service with only one method.
In the meanwhile, for 2), I don't really know in which API this method
could fit. Sergiu told me that I could perhaps put it in
com.xpn.xwiki.plugin.rightsmanager.RightsManagerPluginApi,
but that it wasn't really good either. Any ideas ?
IMO, you should use an existing API that will be deprecated as soon as we
have a real security authentication module. However, I not think
com.xpn.xwiki.plugin.rightsmanager.RightsManagerPluginApi to be the right
place, I would see it more in com.xpn.xwiki.user.api.XWikiUser, with
the advantage that reaching it will require PR (preventing brute force
attack).
In the new authentication module, the abstraction should be really
improved, allowing to change the password outside of the XWiki as well, if
the authentication backend support such feature. The notion of password
will need to be abstracted as well, since there is more then just password
for authentication. So, this will surely be another story, and it is
not foreseeable now.