Re: [xwiki-devs] [xwiki-notifications] r24726 - platform/xwiki-plugins/trunk/watchlist/src/main/java/com/xpn/xwiki/plugin/watchlist

Tue, 27 Oct 2009 05:36:11 -0700 

On Oct 27, 2009, at 12:31 PM, jvdrean (SVN) wrote:

> Author: jvdrean
> Date: 2009-10-27 12:31:28 +0100 (Tue, 27 Oct 2009)
> New Revision: 24726
>
> Modified:
>   platform/xwiki-plugins/trunk/watchlist/src/main/java/com/xpn/xwiki/ 
> plugin/watchlist/WatchListEvent.java
> Log:
> XPWATCHLIST-91 : Hide email fields in notifications
>
> Properties named "email" are now obfuscated.
>
> Modified: platform/xwiki-plugins/trunk/watchlist/src/main/java/com/ 
> xpn/xwiki/plugin/watchlist/WatchListEvent.java
> ===================================================================
> --- platform/xwiki-plugins/trunk/watchlist/src/main/java/com/xpn/ 
> xwiki/plugin/watchlist/WatchListEvent.java    2009-10-26 16:45:15 UTC  
> (rev 24725)
> +++ platform/xwiki-plugins/trunk/watchlist/src/main/java/com/xpn/ 
> xwiki/plugin/watchlist/WatchListEvent.java    2009-10-27 11:31:28 UTC  
> (rev 24726)
> @@ -78,6 +78,16 @@
>     private static final String PREINITIAL_DOCUMENT_VERSION = "1.0";
>
>     /**
> +     * Value to display in diffs for hidden properties (email,  
> password, etc).
> +     */
> +    private static final String HIDDEN_PROPERTIES_OBFUSCATED_VALUE  
> = "******************";
> +
> +    /**
> +     * Name of email property.
> +     */
> +    private static final String EMAIL_PROPERTY_NAME = "email";
> +

If you wanted to make this generic you'd need to provide a callback  
(an interface called) so that applications can have a say in how their  
data is displayed. There would be default displayers but apps would be  
able to override them. Then the User application (or the admin app if  
users are considered inside the admin app) would override the display  
for XWikiUsers properties named email.

That said, it's probably a good idea to obsfucate all email properties  
by default so an email property type would be a good thing too.

Just some ideas for the future and for improved comments in the source  
code (so that we remember).

Thanks
-Vincent

> +    /**
>      * Event hashcode.
>      */
>     private final int hashCode;
> @@ -437,9 +447,10 @@
>              
> diff.getDifferencesAsHTML(objectDiff.getPrevValue().toString(),  
> objectDiff.getNewValue().toString(),
>                 false);
>
> -        if  
> (objectDiff 
> .getPropType 
> ().equals 
> (StringUtils.substringAfterLast(PasswordClass.class.getName(), "."))
> -            && !StringUtils.isBlank(propDiff)) {
> -            propDiff = "******************";
> +        // We hide PasswordClass properties and properties named  
> "email" from notifications for security reasons.
> +        if  
> ((objectDiff 
> .getPropType 
> ().equals 
> (StringUtils.substringAfterLast(PasswordClass.class.getName(), "."))
> +            ||  
> objectDiff.getPropName().equals(EMAIL_PROPERTY_NAME)) && ! 
> StringUtils.isBlank(propDiff)) {
> +            propDiff = HIDDEN_PROPERTIES_OBFUSCATED_VALUE;
>         }
>
>         return propDiff;

_______________________________________________
devs mailing list
[email protected]
http://lists.xwiki.org/mailman/listinfo/devs

Reply via email to