Hi devs, We have the need of a Configuration Source component hint for implementation that only looks in non-modifiable sources (e.g. xwiki.properties).
More specifically there's a security issue in some cases in allowing to use the current "default" configuration source which looks in space preferences, wiki preferences and the only in xwiki.properties. For example the Environment's permanent directory should not be modifiable from wiki pages (see http://jira.xwiki.org/browse/XCOMMONS-182). So here's the proposal: * Introduce a new RestrictedConfigurationSourceProvider implementation (in configuration-api) that does the same as the current ConfigurationSourceProvider but when looking up the CS, it looks for a CS with hint "restricted" * Deprecate the current XWikiPropertiesConfigurationSource (hint = "default") * Add a new XWikiPropertiesConfigurationSource with hint = "restricted" * Modify DefaultEnvironmentConfiguration to use: @Inject @Named("restricted") private Provider<ConfigurationSource> configurationSourceProvider; WDYT? Thanks -Vincent _______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
