31 Aug
2011
31 Aug
'11
3:08 p.m.
On Wed, Aug 31, 2011 at 2:56 PM, Marius Dumitru Florea
<mariusdumitru.florea(a)xwiki.com> wrote:
On Wed, Aug 31, 2011 at 2:39 PM, Denis Gervalle
<dgl(a)softec.lu> wrote:
Or just modified by end user. Imagine a home page with unstructured
content and that somewhere includes a document with a groovy script.
You want to keep the ability for users with PR access level to modify
the home page, but keep the groovy script isolated in its own document
saved by someone with the proper authorization.
On Wed, Aug 31, 2011 at 11:08, Marius Dumitru
Florea <
mariusdumitru.florea(a)xwiki.com> wrote:
> A reason you may want PR for your sheet and not for the including document,
> is that you'd like to write the sheet in Groovy, while the including
> document are created by end users. On Wed, Aug 31, 2011 at 11:41 AM, Anca Luca
<lucaa(a)xwiki.com> wrote:
This was an old discussion. In Syntax 1.x, the PR security is based on the
document included, and not the including document. This has been changed
with the new rendering engine and Syntax 2.x, now the including document is
used for checking PR.
This does not link tightly the PR with the author of the document (=the only
way to determine the author of the script currently), and this is for me the
wrong direction. See XWIKI-5027 for more on that.
Off the top of my head:
On 08/31/2011 10:16 AM, Marius Dumitru Florea wrote:
> Hi devs,
>
> I need your feedback regarding two use cases:
>
> (A) /view/Space1/PageWithPR?sheet=Space2.SheetWithoutPR
>
> Drop permissions when rendering the sheet, right?
it only seems normal to me too...
> (B) /view/Space1/PageWithoutPR?sheet=Space2.SheetWithPR
>
> How often did you write class/document sheets requiring programming
> rights?
The pb is not how often, but if there's one usecase and we'd make it
impossible by this approach, without having a workaround for it. I think
there might be cases when you need a sheet with programming rights...
> I don't think it's possible/safe to keep PageWithoutPR as
> context document and render SheetWithPR using programming rights.
I cannot think of usecases right now, but I would make it behave like
{{include}} with context=old, because this is the way we used sheets
before... (which I think means not having pr for Space2.SheetWithPR)
So rendering the Space2.SheetWithPR without programming rights when
the target document doesn't have programming rights is acceptable in
your opinion right?
I suppose that when you create a sheet that requires programming
rights you make sure all pages that use that sheet have also
programming rights.
Exactly. How common is this use case?
It's a fairly frequent use case IMHO.
Can it be implemented in a safe way?
Thanks,
Marius
--
Jerome Velociter
Winesquare
http://www.winesquare.net/
You have opened the pandora box :)
Denis
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs
Thanks,
Marius
--
Denis Gervalle
SOFTEC sa - CEO
eGuilde sarl - CTO
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs
Happy coding,
Anca
> WDYT?
>
> Thanks,
> Marius
> _______________________________________________
> devs mailing list
> devs(a)xwiki.org
> http://lists.xwiki.org/mailman/listinfo/devs
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs