30 May
2012
30 May
'12
4:18 p.m.
On May 30, 2012, at 4:13 PM, Marius Dumitru Florea wrote:
On Wed, May 30, 2012 at 4:35 PM, Vincent Massol
<vincent(a)massol.net> wrote:
It's in platform-configuration-default, next to DefaultconfigurationSource.
thanks
-Vincent
On May 30, 2012, at 2:26 PM, Vincent Massol wrote:
Hi devs,
We have the need of a Configuration Source component hint for implementation that only
looks in non-modifiable sources (e.g. xwiki.properties).
More specifically there's a security issue in some cases in allowing to use the
current "default" configuration source which looks in space preferences, wiki
preferences and the only in xwiki.properties.
For example the Environment's permanent directory should not be modifiable from wiki
pages (see http://jira.xwiki.org/browse/XCOMMONS-182).
So here's the proposal:
* Introduce a new RestrictedConfigurationSourceProvider implementation (in
configuration-api) that does the same as the current ConfigurationSourceProvider but when
looking up the CS, it looks for a CS with hint "restricted"
* Deprecate the current XWikiPropertiesConfigurationSource (hint = "default")
* Add a new XWikiPropertiesConfigurationSource with hint = "restricted"
Made a mistake here. Instead:
* Introduce a new RestrictedConfigurationSourceProvider implementation (in
configuration-api) that does the same as the current ConfigurationSourceProvider but when
looking up the CS, it looks for a CS with hint "restricted" * Add a new RestrictedConfigurationSource impl
that uses only XWikiPropertiesConfigurationSource FTM
Will you put RestrictedConfigurationSource in
xwiki-commons-configuration-api or in xwiki-platform? It needs to know
about "xwikiproperties" hint, which is specific to xwiki-platform.
Thanks,
Marius
No need to deprecate anything.
Thanks
-Vincent
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs * Modify DefaultEnvironmentConfiguration to use:
@Inject
@Named("restricted")
private Provider<ConfigurationSource> configurationSourceProvider;
WDYT?
Thanks
-Vincent
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs