Nacho Gonzalez Mac Dowell a écrit :
Emmanuel Venisse escribió:
Nacho Gonzalez Mac Dowell a écrit :
Hi all, I have a couple of questions regarding continuum's webapp.
I've been looking through jira and haven't found these issues tackled.
1. Is it just me or permissions are not checked when adding/removing
projects? If I log in, copy the url for deleting a project and then
logout, it seems that I can delete the project anyways. After going
through the sources, I didn't find where permissions are checked.
You're right, it's a big problem in actual code that will be fixed in
1.1 (not in 1.0.3).
We'll use acegi security framework for that.
Is there a branch or anything yet for this issue?
We have a branch for 1.0.3, it's continuum-1.0.x
1.1 is in trunk, but acegi isn't there for the moment.
2. What is the use of parsing the pom when introducing a new maven1
project? IMHO the pom should be parsed after checkout. This would
allow building projects which extend from others if the extension
project is included first. Maybe it would be useful to specify the
relative url of the pom when the checkout is performed. IMO all you
need to build a maven project is the scm connection url and
parameters and the relative url to the pom.
We need to parse the pom when we add it for initializing it in
Continuum. We'll can perhaps allow to add maven1 project which extend
an other but only for parent project in the same checkout tree.
In the same checkout tree or, maybe, from an already parsed pom?
Obviestly the order in which projects are added would then be quite
important.
We can't extends an already parsed pom because extend feature in maven1 doesn't provide information
other than the relative path to parent pom, so we can't know which parent it is a project list.
And, if we suppose that we can find it, we'll need to modify the relative path to the parent in the
child, because continuum store projects on filesystem differently that it is in scm or on developer
machine.
Also, why does Continuum need to know from the project except its scm
url and the relative path to the pom? If it does need more things (which
I may be missing) it could perform a checkout when adding a project,
rather than uploading (for the upload case, not for the url case).
We need groupId, artifactId, version, scm url, dependencies and notifiers when we add a project in
continuum.
groupId, artifactId, version and dependencies are necessary to find the correct
build order.
I am also worried that if the pom changes substantially with time, then
a reparse of the pom would be needed if uploaded?
3. Isn't the scm password stored as clear text on the db? Usually
this is a unix user/password from the scm machine... I would consider
making a certificate for ssh connection or something like that. Then
the public key for the user could be available for download and put
in the scm machine.
It's a possible solution to implement.
The only problem I see with this issue is that the only ssh-keygen java
port I know is from mindterm which is now propietary. How could we do
this maintaining portability? Any ideas? Does anybody see any other
solution for not storing clear text password on the db?
ssh-keygen is available in jsch (http://www.jcraft.com/jsch/) too.
Emmanuel
best regards,
nacho
