[
https://issues.apache.org/jira/browse/ROL-342?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Dave Johnson resolved ROL-342.
------------------------------
Resolution: Fixed
Assignee: Dave Johnson (was: Roller Unassigned)
Fixed by ROL-1727
> The trustUsers configuration parameter
> --------------------------------------
>
> Key: ROL-342
> URL: https://issues.apache.org/jira/browse/ROL-342
> Project: Roller
> Issue Type: Improvement
> Components: Configuration & Settings
> Reporter: David Johnson
> Assignee: Dave Johnson
>
> Roller does not place the same things in the Velocity context as the stock
> Velocity Servlet does because, if we did, users could potentially hack into
> each other's accounts. For example, we don't put the ServletRequest into
> the context because users could call request.getSession() and get access to
> the global Roller object.
> There are two ways we can accomodate your need for cookies and I think both
> should be done:
> 1) add getCookie() and setCookie() methods to the pageModel object so that
> untrusted users in a multi-user Roller system can access cookies.
> 2) add a new Roller configuration parameter, a boolean, called "trustUsers".
> If you are setting up a Roller install for a single user or for a small group
> of users who you trust, you'd set this to true. If this parameter is true,
> then Roller will put the normal Velocity objects into context ($request,
> $response, $cookie, etc.). Otherwise, Roller will behave as it does now.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
