3 Feb
2011
3 Feb
'11
noon
Thanks for the answers,
I think we've reached a consensus on at least one thing : adding the
metadata in pages that require PR.
I'm going to implement that for 3.0M2.
If nobody opposes it, I will :
* Add to the XWiki.RequiredRightClass to XWiki Enterprise xar (I think it
makes more sense in XE than in the admin app), with a single field for now,
which precise the right the page must be saved with. Multiselect with 2
values for now : "programming" and "edit"
* Add the object to all pages requiring it. If I miss some, please help me
spot them :)
The rest can be implemented later, although I will also try to make a quick
PoC of the admin UI for offering to fix PR.
Jerome.
On Wed, Jan 19, 2011 at 8:04 PM, Jerome Velociter <jerome(a)xwiki.com> wrote:
Hi developers,
I've setup and worked on a couple of wiki farms recently, and my feedback
is that the PR issue has become for me a major PITA.
It's worst than before, because we've introduced a lot of pages that
requires it : annotations style and script, plus the wiki macros for
activity, tag cloud, space, etc. (OK, it's not really PR, it's edit right of
the last person who did edit it, but it's the same issue mostly : you need
to have it saved by someone with sufficient rights).
Importing not as back-up (meaning all pages imported from the XAR are saved
by the user doing the import) is not sufficient answer, for several reason :
* User might not have programming rights
* When user has programming rights, it's a BAD practice in terms of
security (it means every page of the wiki initially has the PR right OK)
* Wiki creation is also done by template wiki copy, which is not covered by
this
* This problem is not just an import/creation problem, we need generally a
way to know which pages require PR, and which are missing this PR (users can
be deleted, their rights can change, etc.).
OK, that looks like sufficient complaining :)
Here what I propose, tell me what you think :
1. We define a XWiki class, like XWiki.RequiredRightClass, with a field
that describe the required right the user saving the document must have for
it to behave properly (for example it will be "edit" for wiki macros with a
"wiki" scope, and "programming" for pages that uses privileged APIs,
or JSR
scripts, or always use SSX, etc.)
2. We make a simple UI (for example in the administration section of the
admin app) that list all of them, and their current status. Plus a button to
fix the status if there is something to fix (a missing PR for example) and
if the user seeing the page has the required rights of course.
That's what I propose for now.
In the future, we could imagine that :
3. Programming right can only be granted on a page that requires
it explicitly. This would be a non-backward compatible change.
Let me know what you think.
If we agree I volunteer to implement this in 3.0 M2.
Jerome.