Re: [xwiki-users] database insertion

Send users mailing list submissions to users(a)xwiki.org To subscribe or unsubscribe via the World Wide Web, visit http://lists.xwiki.org/mailman/listinfo/users or, via email, send a message with subject or body 'help' to users-request(a)xwiki.org You can reach the person managing the list at users-owner(a)xwiki.org When replying, please edit your Subject line so it is more specific than "Re: Contents of users digest..." Today's Topics: 1. Re: viewer=code (Caleb James DeLisle) 2. Re: viewer=code (Sergiu Dumitriu) 3. Re: database insertion (Sergiu Dumitriu) 4. Re: Receiving Watch list notifications. (clay) 5. Re: Receiving Watch list notifications. (Thibaut DEVERAUX) 6. XWiki 2 ML 4 .xar import error (Dilipkumar Jadhav) 7. Re: viewer=code (Ajdin Brandic) 8. Re: Receiving Watch list notifications. (Vincent Massol) ---------------------------------------------------------------------- Message: 1 Date: Wed, 26 Aug 2009 17:19:49 -0400 From: Caleb James DeLisle &lt;calebdelisle(a)lavabit.com&gt; Subject: Re: [xwiki-users] viewer=code To: XWiki Users &lt;users(a)xwiki.org&gt; Message-ID: &lt;4A95A6F5.9080308(a)lavabit.com&gt; Content-Type: text/plain; charset=UTF-8 Blocking users from copying a script is tricky business. To start with, an exception will cause the content to be dumped in the error message. You might try this: create a page (I will call it Main.banned, but you can call it what you like.) This will contain your secret groovy script. put this in it public class MySecretClass{ public String go(){ //your code goes here, it can only output things through //the return statement, println and errors will not be shown. String out = "hello world!";//my test code :) return out; } } NOTE: there are no <% or {{groovy}} marks Set the permissions of this page so that only you are allowed to view it. create another page (which users are allowed to view.) in this page put: {{velocity}} #set($myclass = $xwiki.parseGroovyFromPage("Main.banned")) $myclass.go() {{/velocity}} now unregistered users and users without permission can view the page with the velocity code (which executes the groovy page), but not view the page with the groovy code (with viewer=code or otherwise.) In the event of an exception in your groovy code, the user will see a velocity exception, and the exact error (eg StringIndexOutOfBoundsException -1) will be shown, but not the groovy code. I have tested this and it works. A user without any special permissions can copy the velocity code and run it themselves, but I can't see any way for them to read the groovy code. Hope this helps, Caleb James DeLisle Thomas Mortagne wrote: wrote: Behalf addressee only and may contain information that is confidential or privileged. Unauthorised use is strictly prohibited. If you are not the addressee, you should not read, copy, disclose or otherwise use this message, except for the purpose of delivery to the addressee. author and do not necessarily represent those of Coventry University. ------------------------------ Message: 2 Date: Thu, 27 Aug 2009 00:24:19 +0300 From: Sergiu Dumitriu &lt;sergiu(a)xwiki.com&gt; Subject: Re: [xwiki-users] viewer=code To: XWiki Users &lt;users(a)xwiki.org&gt; Message-ID: &lt;4A95A803.9060609(a)xwiki.com&gt; Content-Type: text/plain; charset=ISO-8859-1; format=flowed Ajdin Brandic wrote: First thing to keep in mind is that any user that can *edit* documents on your wiki will always be able to retrieve the source code of documents. Now, if you want to disable the display of code to users, you should edit the following templates and add a rights check at the start: code.vm, xml.vm, changes*.vm, editwiki.vm, editwysiwyg.vm, editwysiwygnew.vm, inline.vm, plaincode.vm This snippet prevents guest access: #if($context.user == 'XWiki.XWikiGuest') #stop #end -- Sergiu Dumitriu http://purl.org/net/sergiu/ ------------------------------ Message: 3 Date: Thu, 27 Aug 2009 00:30:10 +0300 From: Sergiu Dumitriu &lt;sergiu(a)xwiki.com&gt; Subject: Re: [xwiki-users] database insertion To: XWiki Users &lt;users(a)xwiki.org&gt; Message-ID: &lt;4A95A962.6020202(a)xwiki.com&gt; Content-Type: text/plain; charset=ISO-8859-1; format=flowed Alexandre Souza wrote: the it You should never manipulate XWiki data using direct SQL access. The ID of a document is actually a key to finding the right document, and only a certain value (the java hashcode) can be used for each document, so generating it from outside Java is hard. My advice is to use either a Java or Groovy code that uses the xwiki API to insert documents in the database. An example of such a script can be seen at http://svn.xwiki.org/svnroot/xwiki/sandbox/tools/cryptpasswords/ -- Sergiu Dumitriu http://purl.org/net/sergiu/ ------------------------------ Message: 4 Date: Wed, 26 Aug 2009 17:53:38 -0500 (CDT) From: clay &lt;clay(a)grabafact.com&gt; Subject: Re: [xwiki-users] Receiving Watch list notifications. To: users(a)xwiki.org Message-ID: &lt;1251327218626-3520065.post(a)n2.nabble.com&gt; Content-Type: text/plain; charset=us-ascii Caleb, You're a CHAMP! Thanks! Caleb James DeLisle wrote: http://code.xwiki.org/xwiki/bin/view/Applications/WatchlistPanelApplication interested -- View this message in context: http://n2.nabble.com/Receiving-Watch-list-notifications-tp3500490p3520065.h… Sent from the XWiki- Users mailing list archive at Nabble.com. ------------------------------ Message: 5 Date: Thu, 27 Aug 2009 02:08:31 +0200 From: Thibaut DEVERAUX &lt;thibaut.deveraux(a)gmail.com&gt; Subject: Re: [xwiki-users] Receiving Watch list notifications. To: XWiki Users &lt;users(a)xwiki.org&gt; Message-ID: &lt;66833faf0908261708t11f3d321u49b4dc4840b59995(a)mail.gmail.com&gt; Content-Type: text/plain; charset=ISO-8859-1 Woot, bravo Caleb. Seems there is a lot of people on this subject from now. I released some files about this on Flickr : http://www.flickr.com/photos/thibautdeveraux/3821532046 http://www.flickr.com/photos/thibautdeveraux/3821531914 http://www.flickr.com/photos/thibautdeveraux/3820724537 http://www.flickr.com/photos/thibautdeveraux/3820724599 (the begining of the texts is alway the same, jump at the end) Caty told me the non-panel versions were to complicated, wich is right. The fact is I think a lot about a communication board including wave integration and should separate concepts in the time to get a working design at each moment. The wave part is not finalized from now. However I think I could post the third and forth links to GoogleWave page in incubator so that it may give other people ideas. Can someone post it / make me an account on incubator ? Thanks. Thibaut 2009/8/27 clay &lt;clay(a)grabafact.com&gt; http://code.xwiki.org/xwiki/bin/view/Applications/WatchlistPanelApplication http://n2.nabble.com/Receiving-Watch-list-notifications-tp3500490p3520065.h… ------------------------------ Message: 6 Date: Thu, 27 Aug 2009 06:59:53 +0530 From: "Dilipkumar Jadhav" &lt;jadhav.dilipkumar(a)gmail.com&gt; Subject: [xwiki-users] XWiki 2 ML 4 .xar import error To: &lt;users(a)xwiki.org&gt; Message-ID: &lt;4a95e199.171bf30a.6083.47cf(a)mx.google.com&gt; Content-Type: text/plain; charset="us-ascii" Hello everyone, Tried setting up XWiki 2 ML4 as a fresh installation on a test machine. The installation went fine. However, importing the .xar file for XWiki 2 ML 4 throws the following error: Wrapped Exception: org.apache.velocity.exception.MethodInvocationException: Invocation of method 'save' in class com.xpn.xwiki.api.Document threw exception com.xpn.xwiki.XWikiException: Error number 9001 in 9: Access denied in edit mode on document XWiki.XWikiPreferences at /templates/admin.vm[line 58, column 26] at org.apache.velocity.runtime.parser.node.ASTMethod.handleInvocationException( ASTMethod.java:337) . When I tried again, it takes me to the XWiki preferences page but the page says it is locked in edit mode by XWiki.Guest. Clicking force edit throws the above mentioned error again. Is anyone else too facing the same issue. Did I miss out on anything critical during setup. The machine is the same where a test version of XWiki 2 ML 3 works just fine. ------------------------------ Message: 7 Date: Thu, 27 Aug 2009 08:29:49 +0100 From: "Ajdin Brandic" &lt;aa6345(a)coventry.ac.uk&gt; Subject: Re: [xwiki-users] viewer=code To: "XWiki Users" &lt;users(a)xwiki.org&gt; Message-ID: &lt;03C98BDA710E7A40B73C993433B5B22807A09B5F(a)VSEXMS-01.coventry.ac.uk&gt; Content-Type: text/plain; charset="us-ascii" Thanks for the response (Caleb James DeLisle and Sergiu). I am using myxwiki.org so not sure if I have access to .vm files?! I think a way of disabling viewer=code should be available ASAP. As it is not obvious (especially for new xwiki users/developers) that any code is publicly acessible and there is no clear way of hiding Groovy + Velocity code from the public (or search engines) this "feature" poses a great security risk. Someone unaware of this feature (like I was) and using a 3rd party API which requires authentication could easily embed and revile username/password to the whole world. Ajdin -----Original Message----- From: users-bounces(a)xwiki.org [mailto:users-bounces@xwiki.org] On Behalf Of Sergiu Dumitriu Sent: 26 August 2009 22:24 To: XWiki Users Subject: Re: [xwiki-users] viewer=code Ajdin Brandic wrote: First thing to keep in mind is that any user that can *edit* documents on your wiki will always be able to retrieve the source code of documents. Now, if you want to disable the display of code to users, you should edit the following templates and add a rights check at the start: code.vm, xml.vm, changes*.vm, editwiki.vm, editwysiwyg.vm, editwysiwygnew.vm, inline.vm, plaincode.vm This snippet prevents guest access: #if($context.user == 'XWiki.XWikiGuest') #stop #end -- Sergiu Dumitriu http://purl.org/net/sergiu/ _______________________________________________ users mailing list users(a)xwiki.org http://lists.xwiki.org/mailman/listinfo/users -------------------------------------------------------- NOTICE This message and any files transmitted with it is intended for the addressee only and may contain information that is confidential or privileged. Unauthorised use is strictly prohibited. If you are not the addressee, you should not read, copy, disclose or otherwise use this message, except for the purpose of delivery to the addressee. Any views or opinions expressed within this e-mail are those of the author and do not necessarily represent those of Coventry University. ------------------------------ Message: 8 Date: Thu, 27 Aug 2009 10:26:24 +0200 From: Vincent Massol &lt;vincent(a)massol.net&gt; Subject: Re: [xwiki-users] Receiving Watch list notifications. To: XWiki Users &lt;users(a)xwiki.org&gt; Message-ID: &lt;7359D614-BC16-4F43-A30D-29F2B54BC967(a)massol.net&gt; Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Hi Thibaut, On Aug 27, 2009, at 2:08 AM, Thibaut DEVERAUX wrote: Lots of cool stuff :) Re google wave you might be interested in http://incubator.myxwiki.org/xwiki/bin/view/Main/GoogleWave (you need a wave account to see it) I couldn't find your account on http://myxwiki.org to add you. What's your user name? Thanks -Vincent http://code.xwiki.org/xwiki/bin/view/Applications/WatchlistPanelApplication http://n2.nabble.com/Receiving-Watch-list-notifications-tp3500490p3520065.h… ------------------------------ _______________________________________________ users mailing list users(a)xwiki.org http://lists.xwiki.org/mailman/listinfo/users End of users Digest, Vol 25, Issue 52 *************************************