Hi Jerome,
On Jan 19, 2011, at 8:04 PM, Jerome Velociter wrote:
> Hi developers,
>
> I've setup and worked on a couple of wiki farms recently, and my feedback is
> that the PR issue has become for me a major PITA.
> It's worst than before, because we've introduced a lot of pages that
> requires it : annotations style and script, plus the wiki macros for
> activity, tag cloud, space, etc.
Most (if not all of these) should be fixed too to not require PR IMO.
> (OK, it's not really PR, it's edit right of
> the last person who did edit it, but it's the same issue mostly : you need
> to have it saved by someone with sufficient rights).
>
> Importing not as back-up (meaning all pages imported from the XAR are saved
> by the user doing the import) is not sufficient answer, for several reason :
> * User might not have programming rights
> * When user has programming rights, it's a BAD practice in terms of security
> (it means every page of the wiki initially has the PR right OK)
> * Wiki creation is also done by template wiki copy, which is not covered by
> this
> * This problem is not just an import/creation problem, we need generally a
> way to know which pages require PR, and which are missing this PR (users can
> be deleted, their rights can change, etc.).
>
> OK, that looks like sufficient complaining :)
>
> Here what I propose, tell me what you think :
>
> 1. We define a XWiki class, like XWiki.RequiredRightClass, with a field that
> describe the required right the user saving the document must have for it to
> behave properly (for example it will be "edit" for wiki macros with a "wiki"
> scope, and "programming" for pages that uses privileged APIs, or JSR
> scripts, or always use SSX, etc.)
So an error will happen at save time if the user saving doesn't have the right?
So this mechanism is only used when saving documents. At execution time it'll
remain the same mechanism and checks as now right?
Also how does this solve the issue you mentioned with importing a XAR? If the
user importing it doesn't have PR the page will fail to be saved. So you'll
either need to scan the XAR to warn about pages that will have problems if the
user doesn't have PR or you need a UI to list pages in error after the import
in order to fix them. Best IMO is to refuse to import pages that have PR if you
don't have PR (ie if you import 10 pages with one requiring PR then you refuse
to perform the import altogether as otherwise you're left with an inconsistent
set of pages).
What about backup packs for which the page is saved with its original user? How
is that different from now?
> 2. We make a simple UI (for example in the administration section of the
> admin app) that list all of them, and their current status. Plus a button to
> fix the status if there is something to fix (a missing PR for example) and
> if the user seeing the page has the required rights of course.
>
> That's what I propose for now.
Would we allow anyone with simple edit rights from removing the
RequiredRightClass object? AFAIU this object is just indicative and not
required for security. It's just used as a "helper" when saving/importing
documents, correct?
Regarding macros we also discussed in the past about adding a parameter to
mention which right is required for a macro to execute. For example:
{{velocity ... requiredRight="programming"}}
...
{{/velocity}}
I also know that Caleb mentioned using signatures in macros on IRC (I don't
think he sent a proposal for that on the list though).
> In the future, we could imagine that :
>
> 3. Programming right can only be granted on a page that requires
> it explicitly. This would be a non-backward compatible change.
Not sure I understand this point.
> Let me know what you think.
>
> If we agree I volunteer to implement this in 3.0 M2.
There's also the possibility of adding document metadata inside the
XWikiDocument object (as a private field) itself and not through an XObject.
Since this looks like some core metadata it could be a solution too. It would
require a DB schema change (one more column) and a specialized UI in edit mode
though...
Let's see what others think.
Generally speaking our PR mechanism looks a bit like a kludge.
Thanks
-Vincent
>
> Jerome.
_______________________________________________
devs mailing list
[email protected]
http://lists.xwiki.org/mailman/listinfo/devs
