Re: [xwiki-devs] Security concerns

Hi Christian, On Aug 6, 2013, at 5:07 AM, Christian Meunier <christian.meunier(a)magelo.com> wrote: [snip] [snip] This is exactly what a wiki is for: an easy site to modify content. The reasons wikis are powerful is precisely because of that: low barrier to contribution and ability to easily modify content. The promise of a wiki is that it's easy to rollback changes (easier than for someone to deface it). You can find a lot of instances of public wikis on the web that work quite well. Just to cite 3 public instances using 3 different wiki engines: * wikipedia (mediawiki) * xwiki.org (xwiki) * https://www.dokuwiki.org/ (for ex go to https://www.dokuwiki.org/features and click the edit pencil) (dokuwiki) Now obviously, for this to work you need community members that watch for vandalism (http://en.wikipedia.org/wiki/Wikipedia:Vandalism). But when you use a wiki, you want collaboration and this is small price to pay in exchange. Obviously if your vandalism rate is higher than your contribution rate you should ask yourself questions and take some actions! ;) But in general it's good to keep things open till there are problems since closing things down will slow down contributions. Now XWiki is more than a wiki and we need to address all use cases. We currently have a contributor working 100% of his time on security aspects. He's made a lot of pull requests recently; some have been applied and others are being reviewed. To answer one of your point, we've identified the need to require some permissions for adding/modifying some xobjects. Thanks -Vincent