Re: [xwiki-devs] [Proposal] Add notion of "Restricted" Configuration Source to XWiki Commons

Wed, 30 May 2012 07:19:10 -0700 

On May 30, 2012, at 4:13 PM, Marius Dumitru Florea wrote:

> On Wed, May 30, 2012 at 4:35 PM, Vincent Massol <[email protected]> wrote:
>> 
>> On May 30, 2012, at 2:26 PM, Vincent Massol wrote:
>> 
>>> Hi devs,
>>> 
>>> We have the need of a Configuration Source component hint for 
>>> implementation that only looks in non-modifiable sources (e.g. 
>>> xwiki.properties).
>>> 
>>> More specifically there's a security issue in some cases in allowing to use 
>>> the current "default" configuration source which looks in space 
>>> preferences, wiki preferences and the only in xwiki.properties.
>>> 
>>> For example the Environment's permanent directory should not be modifiable 
>>> from wiki pages (see http://jira.xwiki.org/browse/XCOMMONS-182).
>>> 
>>> So here's the proposal:
>>> 
>>> * Introduce a new RestrictedConfigurationSourceProvider implementation (in 
>>> configuration-api) that does the same as the current 
>>> ConfigurationSourceProvider but when looking up the CS, it looks for a CS 
>>> with hint "restricted"
>>> * Deprecate the current XWikiPropertiesConfigurationSource (hint = 
>>> "default")
>>> * Add a new XWikiPropertiesConfigurationSource with hint = "restricted"
>> 
>> Made a mistake here. Instead:
>> 
>> * Introduce a new RestrictedConfigurationSourceProvider implementation (in 
>> configuration-api) that does the same as the current 
>> ConfigurationSourceProvider but when looking up the CS, it looks for a CS 
>> with hint "restricted"
> 
>> * Add a new RestrictedConfigurationSource impl that uses only 
>> XWikiPropertiesConfigurationSource FTM
> 
> Will you put RestrictedConfigurationSource in
> xwiki-commons-configuration-api or in xwiki-platform? It needs to know
> about "xwikiproperties" hint, which is specific to xwiki-platform.

It's in platform-configuration-default, next to DefaultconfigurationSource.

thanks
-Vincent

> 
> Thanks,
> Marius
> 
>> 
>> No need to deprecate anything.
>> 
>> Thanks
>> -Vincent
>> 
>>> * Modify DefaultEnvironmentConfiguration to use:
>>> 
>>>    @Inject
>>>    @Named("restricted")
>>>    private Provider<ConfigurationSource> configurationSourceProvider;
>>> 
>>> WDYT?
>>> 
>>> Thanks
>>> -Vincent
>>> 
>> 
>> _______________________________________________
>> devs mailing list
>> [email protected]
>> http://lists.xwiki.org/mailman/listinfo/devs
> _______________________________________________
> devs mailing list
> [email protected]
> http://lists.xwiki.org/mailman/listinfo/devs

_______________________________________________
devs mailing list
[email protected]
http://lists.xwiki.org/mailman/listinfo/devs

Reply via email to