29 Apr
2013
29 Apr
'13
12:22 p.m.
Hi,
Thanks for the piece of advice. Since I need access to the context and
would like to be able to put some warning in the logs if an error occurs
while checking the password, I think I would put the method in
com.xpn.xwiki.api.User rather than in XWikiUser. But of course I would
check for the Programming Rights to avoid Brute force.
Thanks,
Thomas
On Thu, Apr 25, 2013 at 5:02 PM, Vincent Massol <vincent(a)massol.net> wrote:
Hi,
On Apr 25, 2013, at 12:15 AM, Denis Gervalle <dgl(a)softec.lu> wrote:
if
On Wed, Apr 24, 2013 at 3:38 PM, Thomas Delafosse
<
thomas.delafosse(a)xwiki.com> wrote:
> Hello all,
>
> I've been working on some improvements on user changing password (see
> XWiki-6882). In particular, I tried to make mandatory, for an user
wanting
> to change his password, to submit also his
current password, so that I
> could check it.
> The problem is that there is no way to make this check through
velocity. I
> tried to use some groovy instead, but it
breaks the functional tests.
So I
need to
introduce a new method "checkPassword" accessible from velocity
scripts. The question is, where should I implement it ?
There are two possibilities
1) Wrote a new component
2) Add this method in an existing API.
I don't really like 1), as I feel it would be strange to introduce a new
service with only one method.
In the meanwhile, for 2), I don't really know in which API this method
could fit. Sergiu told me that I could perhaps put it in
com.xpn.xwiki.plugin.rightsmanager.RightsManagerPluginApi,
but that it wasn't really good either. Any ideas ?
IMO, you should use an existing API that will be deprecated as soon as we
have a real security authentication module. However, I not think
com.xpn.xwiki.plugin.rightsmanager.RightsManagerPluginApi to be the right
place, I would see it more in com.xpn.xwiki.user.api.XWikiUser, with
the advantage that reaching it will require PR (preventing brute force
attack).
In the new authentication module, the abstraction should be really
improved, allowing to change the password outside of the XWiki as well, the authentication backend support such feature.
The notion of password
will need to be abstracted as well, since there is more then just
password
for authentication. So, this will surely be
another story, and it is
not foreseeable now.
I agree with Denis here. Regarding the location in the existing code, I
don't have any strong opinion.
Thanks
-Vincent
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs