19 Dec
2008
19 Dec
'08
3:54 a.m.
I've posted a snippet:
http://code.xwiki.org/xwiki/bin/view/Snippets/GenericXMLapiSnippet
Which adds a very simple XML API to a site. This API allows other sites to
programmaticaly query the XWiki site, and display data from it in any form
they choose.
You can see an example here:
http://patternlanguagenetwork.myxwiki.org/xwiki/bin/view/api/genericXML
I came across two problems in the process of writing this. One is general,
and onw specific to my site - and fatal.
the first problem is that is seems like this API can deliver protected data
to a non-registered user. To avoid this on my site, I restricted it not to
show classes under the XWiki space. Shouldn't this be blocked at a lower
level?
The second problem was that I have some fields (propoerties) in some of the
classes which I'm not using. Since I can't delete them, I decided to change
the name to ".unused" and filter. However, once I did this it seems to have
completly crashed the class at hand. I can't even look at the Class in the
ClassEditor to delete the latest versions and go back to the latest good
one.
Here is the corrupted class:
http://patternlanguagenetwork.myxwiki.org/xwiki/bin/view/Cases/CaseClass
Any ideas?
___________________________
Yishay Mor, Researcher, London Knowledge Lab
http://www.lkl.ac.uk/people/mor.html
http://www.google.com/calendar/embed?src=yishaym%40gmail.com
+44-20-78378888 x5737
19 Dec
19 Dec
9:24 a.m.
Hi Yishay,
On Dec 19, 2008, at 3:54 AM, Yishay Mor wrote:
I've posted a snippet:
http://code.xwiki.org/xwiki/bin/view/Snippets/GenericXMLapiSnippet
Which adds a very simple XML API to a site. This API allows other
sites to
programmaticaly query the XWiki site, and display data from it in
any form
they choose.
You can see an example here:
http://patternlanguagenetwork.myxwiki.org/xwiki/bin/view/api/
genericXML
In case you didn't know about it, all xwiki pages can be viewed as XML
right (just add xpage=xml i the URL)? Then all you need is an XPath
expression to query whatever part you're interested in. Or a XSL
transformation to transform it into another XML document.
The snippet looks cool but it's quite hard to understand what it does.
Maybe you could add some more explanation and examples?
I came across two problems in the process of writing
this. One is
general,
and onw specific to my site - and fatal.
the first problem is that is seems like this API can deliver
protected data
to a non-registered user. To avoid this on my site, I restricted it
not to
show classes under the XWiki space. Shouldn't this be blocked at a
lower
level?
It's already blocked by the permission system and for password fields
you shouldn't be able to see the value.
If you don't want users to view some data you must make the page non
viewable for them.
The second problem was that I have some fields
(propoerties) in some
of the
classes which I'm not using. Since I can't delete them, I decided to
change
the name to ".unused" and filter. However, once I did this it seems
to have
completly crashed the class at hand. I can't even look at the Class
in the
ClassEditor to delete the latest versions and go back to the latest
good
one.
Here is the corrupted class:
http://patternlanguagenetwork.myxwiki.org/xwiki/bin/view/Cases/CaseClass
I've never seen that :) Something is indeed deeply broken since the
rendering is failing to display but I don't know why.
Thanks
-Vincent
1 p.m.
From: Vincent Massol <vincent(a)massol.net>
I see you've moved it to:
http://code.xwiki.org/xwiki/bin/view/Snippets/GenericXMLApiSnippet
I've posted a snippet:
http://code.xwiki.org/xwiki/bin/view/Snippets/GenericXMLapiSnippet
In case you didn't know about it, all xwiki pages
can be viewed as XML
right [..]
The snippet looks cool but it's quite hard to understand what it does.
I know, but I wanted to provide client with a simple to use API that allows
them to browse and retrieve the data. The content produced by ?xpage=xml is
too rich :)
I'll document the snippet
the first problem is that is seems like this API can
deliver protected
data
It's already blocked by the permission system and for password fields you
shouldn't be able to see the value.
That's what I thought. But have a look at:
http://patternlanguagenetwork.myxwiki.org/xwiki/bin/view/XWiki/YishayMor
vs.
http://patternlanguagenetwork.myxwiki.org/xwiki/bin/view/api/genericXML?xpa…
Here is the
corrupted class:
http://patternlanguagenetwork.myxwiki.org/xwiki/bin/view/Cases/CaseClass
I've never seen that :) Something is indeed deeply broken since the
rendering is failing to display but I don't know why.
2:16 p.m.
From: Vincent Massol <vincent(a)massol.net>
The snippet looks cool but it's quite hard to understand what it does.
I've documented:
http://code.xwiki.org/xwiki/bin/view/Snippets/GenericXMLApiSnippet
Here is the corrupted class:
http://patternlanguagenetwork.myxwiki.org/xwiki/bin/view/Cases/CaseClass
I've never seen that :) Something is indeed deeply broken since the
rendering is failing to display but I don't know why.
This is very bad for me, because I can't access that class in any way. All I
need is to rename ".unused" back to "unused", or roll back one
version, but
anyway I try to reach that, I get the same error. I think is might require
low-level access to fix.
The problem started when I renamed a property to ".unused". I thought I
could then add something like:
#if (!"$propertyName.startsWith("."))
to hide unused properties.
I think what happened is this:
The class definition is stored (or processed) in XML, and having a property
name starting with '.' confuses the parser.
For example,
http://patternlanguagenetwork.myxwiki.org/xwiki/bin/view/api/genericXML?xpa…
provokes this:
org.apache.velocity.exception.MethodInvocationException: Invocation of
method 'getDocument' in class com.xpn.xwiki.api.XWiki threw exception
com.xpn.xwiki.XWikiException: Error number 3202 in 3: Exception while
reading document Cases.Woodforthetrees
Wrapped Exception: Error number 3202 in 3: Exception while reading document
Cases.CaseClass
Wrapped Exception: Error number 2002 in 2: Error parsing xml
___________________________
Yishay Mor, Researcher, London Knowledge Lab
http://www.lkl.ac.uk/people/mor.html
http://www.google.com/calendar/embed?src=yishaym%40gmail.com
+44-20-78378888 x5737
2:50 p.m.
Yishay Mor wrote:
The problem is not that the user profile is not readable, but that the
sheet that displays the profile is protected. This is a false
protection, as the user profile is readable, it simply isn't displayed.
What you can get in your XML respects the access rights.
The problem started when I renamed a property to ".unused". I thought I
could then add something like:
#if (!"$propertyName.startsWith("."))
to hide unused properties.
I think what happened is this:
The class definition is stored (or processed) in XML, and having a property
name starting with '.' confuses the parser.
Yes, that is the problem. And any action you want to perform requires
that the document is first loaded, which fails. The only way around this
is a direct database change (which I just did, now the class displays
fine). I created http://jira.xwiki.org/jira/browse/XWIKI-3026 to
remember this issue, and it will need to be solved some time later.
--
Sergiu Dumitriu
http://purl.org/net/sergiu/
the first
problem is that is seems like this API can deliver protected
data
It's already blocked by the permission system and for password fields you
shouldn't be able to see the value.
That's what I thought. But have a look at:
http://patternlanguagenetwork.myxwiki.org/xwiki/bin/view/XWiki/YishayMor
vs.
http://patternlanguagenetwork.myxwiki.org/xwiki/bin/view/api/genericXML?xpa…
Here is the corrupted class:
http://patternlanguagenetwork.myxwiki.org/xwiki/bin/view/Cases/CaseClass
I've
never seen that :) Something is indeed deeply broken since the
rendering is failing to display but I don't know why.
6164
days inactive
6164
days old
4 comments
3 participants
participants (3)
-
Sergiu Dumitriu -
Vincent Massol -
Yishay Mor