Hi Eduard,
On Thu, Dec 15, 2011 at 14:30, Eduard Moraru <enygma2002(a)gmail.com> wrote:
Hi Denis,
Why is this a security issue and how is this different from importing a xar
in the main wiki (where XWiki.Admin has PR and everything)?
I am simply against this idea since it is for me exactly the same as using
Windows as an administrator since using it as a normal user is a pain. If
the xar is properly setup, there is no reason it would fail with the issue
you mention.
The issue at hand is not about setting the current
user as author for any
import done in a wiki. It`s about doing so just for a wiki template, when
creating it from a template xar. The template xar that you are using is the
one you have very carefully composed and approved (as a global admin). It
I am a wiki admin, but I am never sure, even after careful inspection that
any pages on a given wiki could gain PR without causing a risk.
is not a random application's xar that you are
importing at wiki template
creation time. Most of the time you are going to use a XE xar anyway which
has XWiki.Admin everywhere and that is causing some problems that this
change will fix.
I agree with you that the xar we produce are not setup properly for farm
purpose, but I was using farm for years now, and I have simply properly
setup my templates. Importing the author of document allows to carefully
provide programming writes only on documents that need them. If you also
prevent normal user to save it, you became really safe.
Moreover, you may also include some users in your template and precisely
set them as authors of some document for very legitimate purpose.
Please provide some additional arguments for your -1.
This issue is
currently breaking things in Workspaces.
For me, your focusing too much on the Workspace situation, and I do not
understand why you need that for workspace ? If you xar is well prepared,
it should simply works properly without this proposal.
Thanks,
Eduard
On Thu, Dec 15, 2011 at 2:48 PM, Denis Gervalle <dgl(a)softec.lu> wrote:
-1, this would be an obvious security issue and
it is worse than simply
ensuring proper authoring in the template where needed.
Denis
On Wed, Dec 14, 2011 at 22:06, Eduard Moraru <enygma2002(a)gmail.com>
wrote:
> Hi devs,
>
> Right now, when you create a wiki template from a xar, the import that
is
done in
the background is a backup import, meaning that the last author
of
> the pages that get imported in the new wiki keep the author specified
by
> the xar. This often creates problems like:
> - Missing Programming Rights
> - Unregistered macros
> - Malfunctioning scripts
>
> These problems can appear because the user specified in the xar (even
if
it
> is XWiki.Admin) is almost always a local user and subwiki local users
do
> not have PR.
> If it's not a PR issue, then the user specified in the xar can be
> non-existent and this makes admin checks fail, thus failing wiki macro
> registration for the entire subwiki.
>
> We are currently experiencing this problem in Workspaces, since, at the
> install step, we create a workspace template by using a
> workspace-template.xar (default XE but can also be user provided).
Since
we
> make sure to delete any local users (including XWiki.Admin), the Wiki
> macros will not be registered in the template and, obviously, neither
in
> any created workspace.
>
> I`m hoping to include this in 3.3 final so that Workspaces can avoid
the
> macro registration problems (and possibly
others).
>
> So I`m asking for your vote to change the current default to
non-backup.
This
means that all the pages in the new subwiki template will have the
current admin user that created the template as last author.
Here's my +1.
Thanks,
Eduard
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs
--
Denis Gervalle
SOFTEC sa - CEO
eGuilde sarl - CTO
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs
--
Denis Gervalle
SOFTEC sa - CEO
eGuilde sarl - CTO