Currently everything is saved with the content author set to XWiki.Admin. This means that in a default system, every single page has programming access and any bug which allows for arbitrary velocity to be evaluated or even allows arbitrary xwiki syntax to be rendered in that page will be a PR leak.
We can either (A) begin making pages with contentAuthor = XWiki.XWikiGuest or (B) we could create a new default username which has no PR. I'm +1 for A because of it's simplicity and adding default usernames seems ugly to me. Caleb Another though, should we change the values of "creator" and "author" at the same time? _______________________________________________ devs mailing list devs@xwiki.org http://lists.xwiki.org/mailman/listinfo/devs
