----- Original Message -----From: Esbach, BrandonSent: Tuesday, January 02, 2007 5:06 AMSubject: RE: [xwiki-users] User and the XWiki.XWikiUsers Object#3 is happening as the user list uses a standard object to maintain the user (in essence it's actually just an enhanced class object).Odd thing is that even a registered user should not have edit object under the menu (mine didn't under 0.9.840, but then I used a customized gui for mine).Most times, you don't want users ever modifying the objects directly as this can affect your classes horribly (as it does for users).Here is a band-aid fix that you can implement quickly without much tinkering.If this is slipping through, you can prevent it yourself:NOTE: EDITING FILES AND STYLES ON XWIKI CAN RENDER YOUR XWIKI INOPERABLE, AND IS DONE AT YOUR OWN RISK.1) Edit your skin. If you're not using a custom skin, you can find it under (../edit/XWiki/MySkin?xpage=editobject will take you directly to the place you need).2) What you're looking for is a "View Header" entry. If you don't have this on your skin, then you need to modify the file "webapps\xwiki\templates\viewheader.vm" on your webserver. Place the content into an external editor, eg Notepad or Eclipse. I usually neaten up the code a bit so that I can see what's going on, it doesn't cause any damage if you take a little care.3) Find the following line: "xpage=editobject" - without the quotes.The line should read something like #xwikiitem($doc.getURL("edit", "xpage=editobject") "editobject")4) The simple way is to make a change so it looks something like this instead:#if($xwiki.hasAdminRights())#xwikiitem($doc.getURL("edit", "xpage=editobject") "editobject")#endThe change above is not the only way to do this, but it will ensure though that only Admin users should see that menu entry; while not breaking it's accessability should you want to allow it through other means (eg through a link in a document).This can be tested quickly by registering a new dummy user to see whether they can see this option in the menu.
From: Mac [mailto:ed_perry@mac.com]
Sent: 01 January 2007 19:13
To: xwiki-users@objectweb.org
Subject: [xwiki-users] User and the XWiki.XWikiUsers ObjectHey there, new to all of this wiki stuff and I love this emerging technology.Well, to the point. I was experimenting around on my own site and playing around with the user objects.I do not think it is wise to allow newly registered users to edit thier objects,I registered a test user.Went to his User Page,edited the objectsand removed the XWiki.XWikiUser object.To me this had an interesting effect.1) The user only would get challenged for a e-mail address confirmation.2) The user could not do anything (At least not that i found yet) Yipee good security3) The user did not show up on the administrator's user list.Although the first 2 are great, #3 to me is a problem, unless there is another way of discovering this user?Well, when I added the XWikiUsers object back all of the user information was back (Though shouldn't it be purged when the class is removed?)Basically I am concerned with people creating accounts, removing this Object and not comming back to my website because they screwed up their account and I will only know if they take the time to e-mail me.
--
You receive this message as a subscriber of the xwiki-users@objectweb.org mailing list.
To unsubscribe: mailto:xwiki-users-unsubscribe@objectweb.org
For general help: mailto:sympa@objectweb.org?subject=help
ObjectWeb mailing lists service home page: http://www.objectweb.org/wws