Thanks for the response (Caleb James DeLisle and Sergiu). I am using
myxwiki.org so not sure if I have access to .vm files?!
I think a way of disabling viewer=code should be available ASAP.
As it is not obvious (especially for new xwiki users/developers) that
any code is publicly acessible and there is no clear way of hiding
Groovy + Velocity code from the public (or search engines) this
"feature" poses a great security risk. Someone unaware of this feature
(like I was) and using a 3rd party API which requires authentication
could easily embed and revile username/password to the whole world.
Ajdin
-----Original Message-----
From: users-bounces(a)xwiki.org [mailto:users-bounces@xwiki.org] On Behalf
Of Sergiu Dumitriu
Sent: 26 August 2009 22:24
To: XWiki Users
Subject: Re: [xwiki-users] viewer=code
Ajdin Brandic wrote:
Is there an option (settings) to disable this
(viewer=code) on a site?
First thing to keep in mind is that any user that can *edit* documents
on your wiki will always be able to retrieve the source code of
documents.
Now, if you want to disable the display of code to users, you should
edit the following templates and add a rights check at the start:
code.vm, xml.vm, changes*.vm, editwiki.vm, editwysiwyg.vm,
editwysiwygnew.vm, inline.vm, plaincode.vm
This snippet prevents guest access:
#if($context.user == 'XWiki.XWikiGuest')
#stop
#end
--
Sergiu Dumitriu
http://purl.org/net/sergiu/
_______________________________________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
--------------------------------------------------------
NOTICE
This message and any files transmitted with it is intended for the addressee only and may
contain information that is confidential or privileged. Unauthorised use is strictly
prohibited. If you are not the addressee, you should not read, copy, disclose or otherwise
use this message, except for the purpose of delivery to the addressee.
Any views or opinions expressed within this e-mail are those of the author and do not
necessarily represent those of Coventry University.