Hi Denis, Why is this a security issue and how is this different from importing a xar in the main wiki (where XWiki.Admin has PR and everything)?
The issue at hand is not about setting the current user as author for any import done in a wiki. It`s about doing so just for a wiki template, when creating it from a template xar. The template xar that you are using is the one you have very carefully composed and approved (as a global admin). It is not a random application's xar that you are importing at wiki template creation time. Most of the time you are going to use a XE xar anyway which has XWiki.Admin everywhere and that is causing some problems that this change will fix. Please provide some additional arguments for your -1. This issue is currently breaking things in Workspaces. Thanks, Eduard On Thu, Dec 15, 2011 at 2:48 PM, Denis Gervalle <[email protected]> wrote: > -1, this would be an obvious security issue and it is worse than simply > ensuring proper authoring in the template where needed. > > Denis > > On Wed, Dec 14, 2011 at 22:06, Eduard Moraru <[email protected]> wrote: > > > Hi devs, > > > > Right now, when you create a wiki template from a xar, the import that is > > done in the background is a backup import, meaning that the last author > of > > the pages that get imported in the new wiki keep the author specified by > > the xar. This often creates problems like: > > - Missing Programming Rights > > - Unregistered macros > > - Malfunctioning scripts > > > > These problems can appear because the user specified in the xar (even if > it > > is XWiki.Admin) is almost always a local user and subwiki local users do > > not have PR. > > If it's not a PR issue, then the user specified in the xar can be > > non-existent and this makes admin checks fail, thus failing wiki macro > > registration for the entire subwiki. > > > > We are currently experiencing this problem in Workspaces, since, at the > > install step, we create a workspace template by using a > > workspace-template.xar (default XE but can also be user provided). Since > we > > make sure to delete any local users (including XWiki.Admin), the Wiki > > macros will not be registered in the template and, obviously, neither in > > any created workspace. > > > > I`m hoping to include this in 3.3 final so that Workspaces can avoid the > > macro registration problems (and possibly others). > > > > So I`m asking for your vote to change the current default to non-backup. > > This means that all the pages in the new subwiki template will have the > > current admin user that created the template as last author. > > > > Here's my +1. > > > > Thanks, > > Eduard > > _______________________________________________ > > devs mailing list > > [email protected] > > http://lists.xwiki.org/mailman/listinfo/devs > > > > > > -- > Denis Gervalle > SOFTEC sa - CEO > eGuilde sarl - CTO > _______________________________________________ > devs mailing list > [email protected] > http://lists.xwiki.org/mailman/listinfo/devs > _______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
