On Apr 17, 2010, at 8:15 PM, [Ricardo Rodriguez] eBioTIC. wrote: > Hi Caleb, hi all, > > Although I am currently a bit far from the current development stage of > XWiki, I would like to support this and any other initiative that > depicts the security properties of XWiki. > > When talking about wiki technologies with colleagues mainly from the > biomedical arena, wiki's security is their main concern. In general, > wikis are considered "open environments" where anybody can read and/or > modify contents. In general they are not aware of the possibility of > using platforms as XWiki for enterprise levels developments with a high > level of security and access control granularity. > > I understand that at some extent XWiki security relies on the security > settings of the web server, application server and database used. Even > in this case, I think it will be really useful and welcome a page/pages > maintained by the XWiki team that could be used to explain how secure is > this environment.
FWIW a page was started here: http://platform.xwiki.org/xwiki/bin/view/AdminGuide/Security I know it doesn't cover all that Caleb has mentioned but it's a start and we can continue the effort. -Vincent > > Ok, any of us, as Caleb did, can start this effort! > > Thanks for your work, > > Ricardo > > > Caleb James DeLisle wrote: >> It might sound silly but if there are no security requirements then there >> are no security holes. >> We all know when we see something which shouldn't happen but I don't think >> there is any page >> defining exactly what the security requirements are. >> >> 1. Users should not be able to spawn additional processes on the server. >> 2. Users should not be able to commit changes to the database except through >> the saveDocument function. >> 3. Users should not be able to save documents without their name as the >> author or contentAuthor as applicable. >> 4. Guests should not be able to execute server side script except that which >> was written and saved by a user. >> >> This list is doesn't cover much yet, I hope to see some additions and >> discussion of may code may violate some >> the rules as well as how we can have 'untrusted' code which is unable to >> violate the rules. >> >> I propose we put up a design page for maintenance of this list. >> >> WDYT? >> >> Caleb >> >> _______________________________________________ >> devs mailing list >> [email protected] >> http://lists.xwiki.org/mailman/listinfo/devs >> >> > > -- > Ricardo RodrÃguez > CTO > eBiotic. > Life Sciences, Data Modeling and Information Management Systems > > _______________________________________________ > devs mailing list > [email protected] > http://lists.xwiki.org/mailman/listinfo/devs _______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
