Re: [xwiki-devs] new rendering syntax concerning Groovy

So, this is the responsability of the programmer to control the access to his code... This is quite free but requires a good knowledge about what

do... (I wonder wether providing the {{include}} macros would bring much more dangerous issues in this case apart from the memory issue you evoked) Does parseGroovy takes care about not duplicating script parsing to

groovy parser from plundering memory?

I need to think about all of this because Groovy integrated in xwiki with velocity also is so much powerful to my mind that it might be worth

into it... Pascal On Tue, Aug 5, 2008 at 10:21 AM, Ludovic Dubost <ludovic(a)xwiki.org>

> Pascal Voitot wrote: > > >> I agree with you, this is not simple in this context. >> >> Anyway, I have a question: >> Groovy is programmed by a programmer with special rights but it can be >> executed by anyone. Am I right? (apparently this is the default >>

> I > > >> can see) >> What prevents anyone with edit rights to add $xwiki.parseGroovy in his >> velocity script (do you need programming rights for this) ? >> >> >> > The groovy script needs to be own by a programmer. This is the > responsibility of the programmer to do a groovy script that is secure or > to do himself checkProgrammingRights in his code. If he does then the > page doing parseGroovyFromPage needs programming rights. > parseGroovyFromString always needs programming rights. > > > >> Moreover if you put in a document something like this: >> >> {pre} >> <% >> I do some groovy things >> %> >> {/pre} >> >> then in another one >> you put >> >> # some velocity things >> $xwiki.getDocument("GroovyDoc").getContent() >> # some other things >> >> Is the groovy simply injected here and executed when someone with >>

>> rights access the last doc? (Apparently with default rights, that's >>

_______________________________________________ devs mailing list devs(a)xwiki.org http://lists.xwiki.org/mailman/listinfo/devs