4 Jul
2012
4 Jul
'12
11:41 a.m.
On Wed, Jul 4, 2012 at 11:24 AM, Eduard Moraru <enygma2002(a)gmail.com> wrote:
Hi Thomas,
Was going to +1 this, but then a question popped up...
Does this mean that an admin (with no PR) could craft and import a xar that
contains a macro with document author xwiki:XWiki.Admin and that macro will
be registered and get PR, thus being able to inject code that will execute
with PR?
You can't import a XAR in backup mode (keeping the author of the XAR)
if you don't have PR.
Otherwise you would not need to do something that complex, you can
simply import a page with some groovy script in it and give it a PR
user as author in the XAR. And again the author of the wiki macro is
already what is used at init time so I'm not really proposing anything
new here.
Thanks,
Eduard
On Wed, Jul 4, 2012 at 11:23 AM, Thomas Mortagne
<thomas.mortagne(a)xwiki.com>wrote;wrote:
--
Thomas Mortagne
Hi devs,
Currently the wiki macro is looking at context user when a wiki macro
is modified. This is causing a lot of complexity and misunderstanding
so I would like to change that to look at document author instead.
* all we at at startup is document author anyway so if you restart
that what XWiki will look at to register the macro so I don't see the
point in not doing the same thing at runtime
* context user makes more complex to make sure wiki macro are properly
registered in background thread like clustering
(http://jira.xwiki.org/browse/XWIKI-7318) and extension manager jobs
(http://jira.xwiki.org/browse/XWIKI-8004)
WDYT ?
Here is my +1
--
Thomas Mortagne
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs