5 Aug
2008
5 Aug
'08
10:10 a.m.
Hello,
please see below...
On Tue, Aug 5, 2008 at 9:49 AM, Ludovic Dubost <ludovic(a)xwiki.org> wrote:
Hi Pascal,
A {{groovy}} macro is planned. However what you seem to be asking for
might cause some security issues.
Groovy needs to be limited to "Programmer" authors so we are trying to
avoid complex includes of groovy code that could lead to inject groovy
code.
You're right about the security issue!
I was only thinking about my coding issue but not about this important issue
:)
Could you give a use case with an example of what you would like to
achieve using groovy ?
Is it something like that
----
text text text
{{groovy}}
{{include:MySpace.GroovyDoc}}
other groovy code
{{groovy}}
text text test
----
it could be something like that in an ideal world
And MySpace.GroovyDoc is a pure text file containing groovy code ?
If we implement this it would mean checking that MySpace.GroovyDoc and
the current page are own by priviledge users. So the include would need
to know it is in the context of a {{groovy}} macro.
It also depends when the {{groovy}} macro runs and if we allow the
{{include}} to run in this context.
I agree with you, this is not simple in this context.
Anyway, I have a question:
Groovy is programmed by a programmer with special rights but it can be
executed by anyone. Am I right? (apparently this is the default behaviour I
can see)
What prevents anyone with edit rights to add $xwiki.parseGroovy in his
velocity script (do you need programming rights for this) ?
Moreover if you put in a document something like this:
{pre}
<%
I do some groovy things
%>
{/pre}
then in another one
you put
# some velocity things
$xwiki.getDocument("GroovyDoc").getContent()
# some other things
Is the groovy simply injected here and executed when someone with default
rights access the last doc? (Apparently with default rights, that's what
happened... I may have missed something)
Pascal
Ludovic
Pascal Voitot wrote:
Hello,
Do you foresee a special syntax for groovy scripts as you already have
for
velocity using {{velocity}} with some more
features?
My idea is to be able to code cleanly using groovy and to put some
"generic"
part of scripts in separated documents and to be
able to import them in
other docs containing other parts of scripts.
It would be really nice to be able to type some part of scripts or to
define
some groovy classes in a page and tell "this
is groovy code which is not
"WIKI-renderable" as is".
Then we could simply import/include this script in another page (just
paste
the code without any rendering) using something
like
#include("MySpace.MyGroovyDoc").
xwiki.parseGroovyXXX is useful sometimes but not when you only want to
include some part of scripts.
Existing #includeXXX macros always render the content and here I only
want
to paste a script from somewhere else
(xwiki.getDocument("").getContent()
in
fact)
Moreover the idea would be also to allow using both "xwiki.parseGroovy"
and
the #include macro for the same groovy
"document". For the time being,
one
need to use the trick
/* groovygroovy #* */
/* *# */
and then you are condemned to use xwiki.parseGroovyXXX because no other
function can interprete this tricky syntax.
best regards
Pascal
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs
--
Ludovic Dubost
Blog: http://blog.ludovic.org/
XWiki: http://www.xwiki.com
Skype: ldubost GTalk: ldubost
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs