I don't think velocity macros bring any security issue.
However it makes sense that only admins (which have programming rights)
are able to add a macro made available globally, and particularly in the
Wysiwyg UI.
Indeed it would be practical but not critical that you can test the
macro before you make it available. It might be a bit complex to make
this test feature automatic more than manual (try your macro in a page)
Ludovic
Asiri Rathnayake a écrit :
Hi,
You are not speaking about security here but
it's a very important
subject. With what you described any user could be able to register
any macro usable by anyone in which he can do whatever he want with
the rigths of the user of the macro.
The best would be that a macro created by a user is usable only by
himself until this macro is promoted as standard macro in some admin
UI. But this mean we can't just register the macro as standard
component when it's saved, we would need at least the standard list
and the users list of macros in the DefaultMacroManager or support
this standard component VS users component in a more generic way like
the component realms suggested by Vincent.
Maybe the first step only register the macro if the users which
modified it has programming rights.
Yes, sounds good as a start.
Thanks.
- Asiri
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs
--
Ludovic Dubost
Blog:
http://blog.ludovic.org/
XWiki:
http://www.xwiki.com
Skype: ldubost GTalk: ldubost