On May 30, 2012, at 2:26 PM, Vincent Massol wrote:
> Hi devs,
>
> We have the need of a Configuration Source component hint for implementation
> that only looks in non-modifiable sources (e.g. xwiki.properties).
>
> More specifically there's a security issue in some cases in allowing to use
> the current "default" configuration source which looks in space preferences,
> wiki preferences and the only in xwiki.properties.
>
> For example the Environment's permanent directory should not be modifiable
> from wiki pages (see http://jira.xwiki.org/browse/XCOMMONS-182).
>
> So here's the proposal:
>
> * Introduce a new RestrictedConfigurationSourceProvider implementation (in
> configuration-api) that does the same as the current
> ConfigurationSourceProvider but when looking up the CS, it looks for a CS
> with hint "restricted"
> * Deprecate the current XWikiPropertiesConfigurationSource (hint = "default")
> * Add a new XWikiPropertiesConfigurationSource with hint = "restricted"
Made a mistake here. Instead:
* Introduce a new RestrictedConfigurationSourceProvider implementation (in
configuration-api) that does the same as the current
ConfigurationSourceProvider but when looking up the CS, it looks for a CS with
hint "restricted"
* Add a new RestrictedConfigurationSource impl that uses only
XWikiPropertiesConfigurationSource FTM
No need to deprecate anything.
Thanks
-Vincent
> * Modify DefaultEnvironmentConfiguration to use:
>
> @Inject
> @Named("restricted")
> private Provider<ConfigurationSource> configurationSourceProvider;
>
> WDYT?
>
> Thanks
> -Vincent
>
_______________________________________________
devs mailing list
[email protected]
http://lists.xwiki.org/mailman/listinfo/devs
