20 Jul
2007
20 Jul
'07
9:35 p.m.
Ok so I'm using xwiki 1.0 standalone. Setup is pretty simple. I just
unzipped the files and ran the start_xwiki.sh and opened it up in my
browser. I haven't made any modifications (except changing the port number
to 80 in the startup script).
My problem is that a lot of the security related options don't seem to work.
For example, when I create a new group, it doesn't always show up under
http://192.168.1.27/xwiki/bin/view/XWiki/XWikiGroups and if I try to
recreate that group it says it already exists.
Also, when adding a user to a group by clicking the little + button to add a
new line for a new user (on
http://192.168.1.27/xwiki/bin/inline/XWiki/GroupName), the link goes to
http://192.168.1.27xwiki/bin/objectadd/XWiki/GroupName?classname=XWiki.XWik…
Notice that there's no "/" in between the IP address and "xwiki",
so of
course the "page cannot be displayed". If I fix the link myself in the
address bar and add the missing "/" then the page allowing me to add a user
comes up correctly. If I change the startup script to go back to port 8080
(default), then the link is
http://192.168.1.27:8080/bin/objectadd/XWiki/GroupName?classname=XWiki.XWik…Name.
Of course, now there's a "/" but "/xwiki" is missing and I still
get a "page
cannot be displayed".
My other problem is that once I do get a user and/or group created and I
want to set permissions on a particular "space" (i.e. I do or don't want it
to show up altogether for different users), I can deny all the permissions
available on the administration "space rights" tab, but the space is still
visible on the right hand side, it's just that it returns the user an error
if they don't have rights. So I figured I might be able to hide the space
altogether and saw the "space prefs" tab and thought that might be useful.
Of course the link for this tab is
http://192.168.1.27xwiki/bin/objectadd/SpaceName/WebPreferences?classname=X…ce=SpaceName.
Notice the lack of "/" in between the IP address and "xwiki" again at
the
beginning of the link. Of course I can't bring that page up either. I'm
using a completely default xwiki 1.0 standalone version downloaded from
xwiki.org on Fedora 7. Apache is not running, just xwiki (tomcat, I guess).
It seems rather bizarre that I'd have so many problems with something I
didn't change at all, except for the port number. Of course, changing the
port number back just mangles the above mentioned links differently. It
doesn't fix the problem. Seems like I'm missing something pretty
fundamental here. Any ideas what I'm doing wrong?
-BJ Quinn
--
View this message in context:
http://www.nabble.com/Security-problems-tf4119184.html#a11714695
Sent from the XWiki- Users mailing list archive at Nabble.com.
23 Jul
23 Jul
3:07 p.m.
New subject: [xwiki-users] Security problems
Don't know about the link problems, looks like a bug to me.
However, mystifying behavior often results when adding groups or adding
users to groups. I fought this for quite a while even after reading the
FAQ that mentioned this, and here's the reason for the fuddlement.
For performance reasons, XWiki caches group memberships, and the cache
must be flushed before changes to the groups take effect. The
XWikiGroupService itself also has a separate cache.
Because my memory is a little faint on this, please take this as a clue
rather than an absolute procedure: First and foremost, you should find
that restarting XWiki causes the newly-created groups and members to
behave as expected. If you find restarting undesirable, as I suspect,
calling xwiki.flushCache() should have the same effect, without having
to take down the whole wiki, but it will cause the first requests after
it to load more slowly. Finally, the least disruptive (and the one I'm
least sure of) is xwiki.getGroupService().flushCache().
Note: the object "xwiki" in both cases above is an instance of
com.xpn.xwiki.XWiki, which can be obtained in a Velocity script by the
reference $xwiki.getXWiki() (or just $xwiki.xWiki, of course). The
getWiki method is privileged, and accessible only to pages whose last
author has the "programming" privilege on that page.
brain[sic]
-----Original Message-----
From: bjquinn [mailto:bjquinn@seidal.com]
Sent: Friday, July 20, 2007 2:35 PM
To: xwiki-users(a)objectweb.org
Subject: [xwiki-users] Security problems
Ok so I'm using xwiki 1.0 standalone. Setup is pretty
simple. I just unzipped the files and ran the start_xwiki.sh
and opened it up in my browser. I haven't made any
modifications (except changing the port number to 80 in the
startup script).
My problem is that a lot of the security related options
don't seem to work.
For example, when I create a new group, it doesn't always
show up under
http://192.168.1.27/xwiki/bin/view/XWiki/XWikiGroups and if I
try to recreate that group it says it already exists.
Also, when adding a user to a group by clicking the little +
button to add a new line for a new user (on
http://192.168.1.27/xwiki/bin/inline/XWiki/GroupName), the
link goes to
http://192.168.1.27xwiki/bin/objectadd/XWiki/GroupName?classna
me=XWiki.XWikiGroups&xredirect=http://192.168.1.27/xwiki/bin/inl>
ine/XWiki/GroupName
Notice that there's no "/" in between
the IP address and
"xwiki", so of course the "page cannot be displayed". If I
fix the link myself in the address bar and add the missing
"/" then the page allowing me to add a user comes up
correctly. If I change the startup script to go back to port
8080 (default), then the link is
http://192.168.1.27:8080/bin/objectadd/XWiki/GroupName?classna
me=XWiki.XWikiGroups&xredirect=http://192.168.1.27/xwiki/bin/inl>
ine/XWiki/GroupName.
Of course, now there's a "/" but
"/xwiki" is missing and I
still get a "page cannot be displayed".
My other problem is that once I do get a user and/or group
created and I want to set permissions on a particular "space"
(i.e. I do or don't want it to show up altogether for
different users), I can deny all the permissions available on
the administration "space rights" tab, but the space is still
visible on the right hand side, it's just that it returns the
user an error if they don't have rights. So I figured I
might be able to hide the space altogether and saw the "space
prefs" tab and thought that might be useful.
Of course the link for this tab is
http://192.168.1.27xwiki/bin/objectadd/SpaceName/WebPreference
s?classname=XWiki.XWikiPreferences&xredirect=http://192.168.1.
27/xwiki/bin/admin/SpaceName/WebPreferences?editor=spaceprefs&
global=1&space=SpaceName.
Notice the lack of "/" in between the IP
address and "xwiki"
again at the beginning of the link. Of course I can't bring
that page up either. I'm using a completely default xwiki
1.0 standalone version downloaded from xwiki.org on Fedora 7.
Apache is not running, just xwiki (tomcat, I guess).
It seems rather bizarre that I'd have so many problems with
something I didn't change at all, except for the port number.
Of course, changing the port number back just mangles the
above mentioned links differently. It doesn't fix the
problem. Seems like I'm missing something pretty fundamental
here. Any ideas what I'm doing wrong?
-BJ Quinn
--
View this message in context:
http://www.nabble.com/Security-problems-tf4119184.html#a11714695
Sent from the XWiki- Users mailing list archive at Nabble.com.
6318
days inactive
6321
days old
1 comments
2 participants
participants (2)
-
bjquinn -
THOMAS, BRIAN M (ATTSI)