15 Dec
2011
15 Dec
'11
2:30 p.m.
Hi Denis,
Why is this a security issue and how is this different from importing a xar
in the main wiki (where XWiki.Admin has PR and everything)?
The issue at hand is not about setting the current user as author for any
import done in a wiki. It`s about doing so just for a wiki template, when
creating it from a template xar. The template xar that you are using is the
one you have very carefully composed and approved (as a global admin). It
is not a random application's xar that you are importing at wiki template
creation time. Most of the time you are going to use a XE xar anyway which
has XWiki.Admin everywhere and that is causing some problems that this
change will fix.
Please provide some additional arguments for your -1. This issue is
currently breaking things in Workspaces.
Thanks,
Eduard
On Thu, Dec 15, 2011 at 2:48 PM, Denis Gervalle <dgl(a)softec.lu> wrote:
-1, this would be an obvious security issue and it is
worse than simply
ensuring proper authoring in the template where needed.
Denis
On Wed, Dec 14, 2011 at 22:06, Eduard Moraru <enygma2002(a)gmail.com> wrote:
Hi devs,
Right now, when you create a wiki template from a xar, the import that is
done in the background is a backup import, meaning that the last author
of
the pages that get imported in the new wiki keep
the author specified by
the xar. This often creates problems like:
- Missing Programming Rights
- Unregistered macros
- Malfunctioning scripts
These problems can appear because the user specified in the xar (even if
it
is XWiki.Admin) is almost always a local user and
subwiki local users do
not have PR.
If it's not a PR issue, then the user specified in the xar can be
non-existent and this makes admin checks fail, thus failing wiki macro
registration for the entire subwiki.
We are currently experiencing this problem in Workspaces, since, at the
install step, we create a workspace template by using a
workspace-template.xar (default XE but can also be user provided). Since
we
make sure to delete any local users (including
XWiki.Admin), the Wiki
macros will not be registered in the template and, obviously, neither in
any created workspace.
I`m hoping to include this in 3.3 final so that Workspaces can avoid the
macro registration problems (and possibly others).
So I`m asking for your vote to change the current default to non-backup.
This means that all the pages in the new subwiki template will have the
current admin user that created the template as last author.
Here's my +1.
Thanks,
Eduard
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs
--
Denis Gervalle
SOFTEC sa - CEO
eGuilde sarl - CTO
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs