5 Aug
2013
5 Aug
'13
12:45 p.m.
We can add another marker interface, PrivilegedQueryExecutor or
something like that, which informs that it can execute privileged
queries, so it's up to the query manager to prevent them from running in
an unprivileged environment.
On 08/05/2013 03:16 AM, Thomas Mortagne wrote:
It's not as simple as moving the ifs from
SecureQueryExecutorManager
to each QueryExecutor since the query executors don't know if they
need to check rights.
On Sun, Aug 4, 2013 at 7:34 PM, Eduard Moraru <enygma2002(a)gmail.com> wrote:
> Hi devs,
>
> It seems that our SecureQueryManager [1] is preventing the execution of
> queries other than XWQL and HQL in the absence of PR.
>
> However, this is not at all a friendly policy when it comes to extensions.
> An example of where this is causing problems is Solr queries, where only
> users (well, document authors) with PR can execute them.
>
> As the subject says, I suggest removing this restriction and leaving rights
> check to be performed in each QueryExecutor's execute() method.
>
> The associated Jira issue is XWIKI-9386 [2]
>
> Here's my +1.
>
> Thanks,
> Eduard
--
Sergiu Dumitriu
http://purl.org/net/sergiu