6 Aug
2012
6 Aug
'12
4:20 p.m.
On 08/06/2012 07:14 AM, Stocki wrote:
Yeah, I thought so, but wanted to ask anyway. I will look into the hole
confidental data thing and probably will leave it out there.
There is a way to fix this, but it requires more code.
The basic idea is that you store confidential information as custom data
stored in the database, not as basic class properties, and you create a
script service that provides access to this data. Since this script
service is the only way to access the data, you can enforce rights any
way you like in it.
--
Sergiu Dumitriu
http://purl.org/net/sergiu/
This is in progress. See
http://jira.xwiki.org/browse/XWIKI-7374 . We
hope to have it in 4.2 final.
Good to hear that this is in progress. Any Idea when 4.2 will be released?
2. If I
put secret data in there (e.g. Pin/PUK for mobiles) I was able to
let it not show in the list AppWithInMinutes generates (viewable only for
admins), but of course in the generated Page, everybody can see it. Is
there
a way that this is only viewable for admins as well? Of course I can
prohibit this by securing the hole page, but ( again in a perfect world
:)
it would be good that the employee can see and edit all his stuff in the
inventory, but only he and/or admins can see the confidental data.
This is a bit tricky. You can customize the sheet used to view and
edit the application entries so that the Pin/PUK field/value is
displayed only for admins but it won't prevent users from editing the
application entries (pages) in Object mode and see the secret value.
If a user has the right to edit a page then he can see all the
property values of objects attached to that page. In other words, the
rights system doesn't work at the level of object property, not even
at the level of object. The finest level is page.
Hope this helps,
Marius