Re: [xwiki-devs] [Proposal] Add notion of "Restricted" Configuration Source to XWiki Commons

Wed, 30 May 2012 07:13:26 -0700 

On Wed, May 30, 2012 at 4:35 PM, Vincent Massol <[email protected]> wrote:
>
> On May 30, 2012, at 2:26 PM, Vincent Massol wrote:
>
>> Hi devs,
>>
>> We have the need of a Configuration Source component hint for implementation 
>> that only looks in non-modifiable sources (e.g. xwiki.properties).
>>
>> More specifically there's a security issue in some cases in allowing to use 
>> the current "default" configuration source which looks in space preferences, 
>> wiki preferences and the only in xwiki.properties.
>>
>> For example the Environment's permanent directory should not be modifiable 
>> from wiki pages (see http://jira.xwiki.org/browse/XCOMMONS-182).
>>
>> So here's the proposal:
>>
>> * Introduce a new RestrictedConfigurationSourceProvider implementation (in 
>> configuration-api) that does the same as the current 
>> ConfigurationSourceProvider but when looking up the CS, it looks for a CS 
>> with hint "restricted"
>> * Deprecate the current XWikiPropertiesConfigurationSource (hint = "default")
>> * Add a new XWikiPropertiesConfigurationSource with hint = "restricted"
>
> Made a mistake here. Instead:
>
> * Introduce a new RestrictedConfigurationSourceProvider implementation (in 
> configuration-api) that does the same as the current 
> ConfigurationSourceProvider but when looking up the CS, it looks for a CS 
> with hint "restricted"

> * Add a new RestrictedConfigurationSource impl that uses only 
> XWikiPropertiesConfigurationSource FTM

Will you put RestrictedConfigurationSource in
xwiki-commons-configuration-api or in xwiki-platform? It needs to know
about "xwikiproperties" hint, which is specific to xwiki-platform.

Thanks,
Marius

>
> No need to deprecate anything.
>
> Thanks
> -Vincent
>
>> * Modify DefaultEnvironmentConfiguration to use:
>>
>>    @Inject
>>    @Named("restricted")
>>    private Provider<ConfigurationSource> configurationSourceProvider;
>>
>> WDYT?
>>
>> Thanks
>> -Vincent
>>
>
> _______________________________________________
> devs mailing list
> [email protected]
> http://lists.xwiki.org/mailman/listinfo/devs
_______________________________________________
devs mailing list
[email protected]
http://lists.xwiki.org/mailman/listinfo/devs

Reply via email to