30 May
2012
30 May
'12
5:15 p.m.
On Wed, May 30, 2012 at 5:02 PM, Sergiu Dumitriu <sergiu(a)xwiki.com> wrote:
--
Thomas Mortagne
On 05/30/2012 10:18 AM, Vincent Massol wrote:
The ConfigurationSource is in platform, not the Provider which provide
an empty ConfigurationSource if none can be lookuped.
On May 30, 2012, at 4:13 PM, Marius Dumitru Florea wrote:
Then we have a commons component that doesn't work outside XWiki, unless
those that want to use it also implement that "restricted" component? On Wed, May 30, 2012 at 4:35 PM, Vincent
Massol<vincent(a)massol.net>
wrote:
It's in platform-configuration-default, next to
DefaultconfigurationSource.
On May 30, 2012, at 2:26 PM, Vincent Massol wrote:
> Hi devs,
>
> We have the need of a Configuration Source component hint for
> implementation that only looks in non-modifiable sources (e.g.
> xwiki.properties).
>
> More specifically there's a security issue in some cases in allowing to
> use the current "default" configuration source which looks in space
> preferences, wiki preferences and the only in xwiki.properties.
>
> For example the Environment's permanent directory should not be
> modifiable from wiki pages (see http://jira.xwiki.org/browse/XCOMMONS-182).
>
> So here's the proposal:
>
> * Introduce a new RestrictedConfigurationSourceProvider implementation
> (in configuration-api) that does the same as the current
> ConfigurationSourceProvider but when looking up the CS, it looks for a CS
> with hint "restricted"
> * Deprecate the current XWikiPropertiesConfigurationSource (hint =
> "default")
> * Add a new XWikiPropertiesConfigurationSource with hint = "restricted"
Made a mistake here. Instead:
* Introduce a new RestrictedConfigurationSourceProvider implementation
(in configuration-api) that does the same as the current
ConfigurationSourceProvider but when looking up the CS, it looks for a CS
with hint "restricted"
* Add a new RestrictedConfigurationSource impl
that uses only
XWikiPropertiesConfigurationSource FTM
Will you put RestrictedConfigurationSource in
xwiki-commons-configuration-api or in xwiki-platform? It needs to know
about "xwikiproperties" hint, which is specific to xwiki-platform. thanks
-Vincent
>
> Thanks,
> Marius
>
>>
>> No need to deprecate anything.
>>
>> Thanks
>> -Vincent
>>
>>> * Modify DefaultEnvironmentConfiguration to use:
>>>
>>> @Inject
>>> @Named("restricted")
>>> private Provider<ConfigurationSource> configurationSourceProvider;
>>>
>>> WDYT?
>>>
>>> Thanks
>>> -Vincent
>>>
--
Sergiu Dumitriu
http://purl.org/net/sergiu/
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs