Re: [xwiki-devs] new rendering syntax concerning Groovy

Let's take an example public class Groovy { public boolean delete(String docname, Context context) { def xwiki = context.getWiki(); def xwiki2 = xwiki.xWiki; def context2 = context.context; xwiki2.deleteDocument(docName, context2); return true; } } This script is a priviledge script and will use the underlying xwiki api. This means that no rights check are performed on the call to xwiki2.deleteDocument. If you let this class in your wiki, any use can use parseGroovyFromPage to instanciate the class and call delete() and delete any page regardeless of the user rights. To fix this you do: public class Groovy { public boolean delete(String docname, Context context) { if (!context.hasProgrammingRights()) return false; def xwiki = context.getWiki(); def xwiki2 = xwiki.xWiki; def context2 = context.context; xwiki2.deleteDocument(docName, context2); return true; } } If the author of the page making the call to parseGroovyFromPage and deleteDocument is not a "programmer" then the call fails. For example if the page is $xwiki.parseGroovyFromPage("..").deleteDocument($context.user,$context) Then any use can access the page setup by the programmer to delete it's own page. If the user tries to change the page to replace by $context.user by any page, then the programmers right is revoked and the call fails Therefore you delete() function is secure.

Ludovic Pascal Voitot wrote: done programming -- Ludovic Dubost Blog: http://blog.ludovic.org/ XWiki: http://www.xwiki.com Skype: ldubost GTalk: ldubost _______________________________________________ devs mailing list devs(a)xwiki.org http://lists.xwiki.org/mailman/listinfo/devs