23 Jun
2015
23 Jun
'15
2:51 p.m.
Thanks, Thomas, for the feedback. I`m moving ahead with merging it into
master, since the build looks ready for it.
-Eduard
On Mon, Jun 22, 2015 at 1:22 PM, Thomas Mortagne <thomas.mortagne(a)xwiki.com>
wrote:
On Mon, Jun 22, 2015 at 12:17 PM, Eduard Moraru
<enygma2002(a)gmail.com>
wrote:
I see. At first I did not understand what you mean, but now I do.
Basically, you want "light"/limited groovy scripts (running with a secure
customizer) to be handled consistently, just like just velocity scripts,
which makes sense.
In other words, this:
https://github.com/xwiki/xwiki-platform/commit/a766d8a1d7db06f51e02fbced85a…
yes
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs
--
Thomas Mortagne
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs
On Sat, Jun 20, 2015 at 9:36 AM, Thomas Mortagne
<
thomas.mortagne(a)xwiki.com>
wrote:
the
On Fri, Jun 19, 2015 at 5:42 PM, Eduard Moraru
<enygma2002(a)gmail.com>
wrote:
> >> wrote:
> >> > Hi,
> >> >
> >> > For 7.2, we are introducing a new right to control permissions on
Hi,
On Fri, Jun 19, 2015 at 5:42 PM, Thomas Mortagne <
thomas.mortagne(a)xwiki.com>
> wrote:
>
>> On Fri, Jun 19, 2015 at 4:25 PM, Eduard Moraru <enygma2002(a)gmail.com > >> > execution of scripts.
> >> >
> >> > Right now, out of all the scripts we support, Velocity is special
and
> >> does
> >> > not require programming rights, since it uses only the public API.
Of
> >> > course, if it has PR available,
it can also access privileged API.
All
> >> > other scripts (groovy, python,
etc) require PR by default.
> >> >
> >> > The new 'script' right should be used to control
"light"/sandboxed
> >> > scripting, such as velocity or any other scripts that are
configured
> to
> >> > consider this new right when executing (assuming they override the
> >> standard
> >> > PR check).
> >>
> >> We actually do have another one already, a custom version of Groovy
> >> JSR223 engine done by Vincent.
> >> All that to say that you should probably also update
> >> org.xwiki.rendering.internal.macro.groovy.GroovyMacroPermissionPolicy
> >> in xwiki-platform-rendering-macro-groovy module.
> >>
> >
> > I have noticed it, but did not touch it since I see it has a custom
way
> of
> > restricting execution (it sets a 'secure' flag in the groovy
> configuration
> > that tells it to consider if the macro transformation context is
> restricted
> > or not and, if not restricted, it does not need PR, but delegates to a
> > Groovy dedicated security customizer) and if that is not
used/configured,
> > it falls back to programming rights.
> >
> > Do you think we need to or should do more than that for Groovy? If not
> > custom security customizer is set, then PR decide if a groovy script
runs
or not (which is often the case). And if so, what do
you propose?
I know how it's working and the goal of this customisation is allow
using Groovy without PR in which case it should require Script right
exactly like Velocity does. It would not make much sense to not be
allowed to do Velocity when you can do Groovy.
Thanks,
Eduard
>
> >
> > Thanks,
> > Eduard
> >
> >>
> >> >
> >> > Since the build is not in top shape due to the nested spaces
changes,
> I
> >> > have currently committed my work on this in a branch, created a PR
and
> >> > would like to profit from this
occasion to ask the devs that are
more
> > familiar with the rights system for some
feedback on it.
> >
> > The Jira issue is http://jira.xwiki.org/browse/XWIKI-12171
> > The PR is https://github.com/xwiki/xwiki-platform/pull/410
>
> Looks good (all I could do is a minor comment on a comment :) ).
>
> >
> > Thanks,
> > Eduard
> > _______________________________________________
> > devs mailing list
> > devs(a)xwiki.org
> > http://lists.xwiki.org/mailman/listinfo/devs
>
>
>
> --
> Thomas Mortagne
> _______________________________________________
> devs mailing list
> devs(a)xwiki.org
> http://lists.xwiki.org/mailman/listinfo/devs
>
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs
--
Thomas Mortagne
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs