7 Aug
2008
7 Aug
'08
8:46 a.m.
On Aug 5, 2008, at 5:29 PM, Pascal Voitot wrote:
[snip]
It's exactly like now. If your groovy script is dangerous, whether
it's in one a standalone page or included in another page, it'll still
be as dangerous so you'll need to protect it. If the page is itself
protected the include will fail (not implemented yet in the new
rendering but planned). Thus you should either protect the page or use
an if to test for some rights.
One possibility we have would be to add an executionRights parameter
to the groovy macro in the new rendering that would default to
"programming" so that only users with programming rights would be able
to execute a groovy macro by default (to allow anyone you would add
executionRights="view"). Basically this would simply do the test for
rights on behalf of the programmer.
WDYT?
Yes they'll share the same context.
Thanks
-Vincent
To summarize,
I think the fact that outside macros execute before
nested macros prevents dangerous things to happen in general. Now I
haven't analysed all cases yet so if you see something dangerous
please let me know so that I can fix it while it's possible.
So you think this might no be dangerous to use include for groovy? To answer your
question Pascal, you would write:
{{groovy}}
... some groovy code...
{{/groovy}}
{{include document="... page containing a groovy macro..."
context="current"/}}
Let me know if I missed something.
I have a question: if you create a groovy object in the first
{{groovy}},
could you use it also in the {{include}} (if it basically contains
also
{{groovy}} script) since you include the doc in current context?
I mean: are these 2 completely different groovy executions or do
they share
the same execution context?