On Wed, May 30, 2012 at 5:18 PM, Vincent Massol <[email protected]> wrote:
>
> On May 30, 2012, at 4:13 PM, Marius Dumitru Florea wrote:
>
>> On Wed, May 30, 2012 at 4:35 PM, Vincent Massol <[email protected]> wrote:
>>>
>>> On May 30, 2012, at 2:26 PM, Vincent Massol wrote:
>>>
>>>> Hi devs,
>>>>
>>>> We have the need of a Configuration Source component hint for
>>>> implementation that only looks in non-modifiable sources (e.g.
>>>> xwiki.properties).
>>>>
>>>> More specifically there's a security issue in some cases in allowing to
>>>> use the current "default" configuration source which looks in space
>>>> preferences, wiki preferences and the only in xwiki.properties.
>>>>
>>>> For example the Environment's permanent directory should not be modifiable
>>>> from wiki pages (see http://jira.xwiki.org/browse/XCOMMONS-182).
>>>>
>>>> So here's the proposal:
>>>>
>>>> * Introduce a new RestrictedConfigurationSourceProvider implementation (in
>>>> configuration-api) that does the same as the current
>>>> ConfigurationSourceProvider but when looking up the CS, it looks for a CS
>>>> with hint "restricted"
>>>> * Deprecate the current XWikiPropertiesConfigurationSource (hint =
>>>> "default")
>>>> * Add a new XWikiPropertiesConfigurationSource with hint = "restricted"
>>>
>>> Made a mistake here. Instead:
>>>
>>> * Introduce a new RestrictedConfigurationSourceProvider implementation (in
>>> configuration-api) that does the same as the current
>>> ConfigurationSourceProvider but when looking up the CS, it looks for a CS
>>> with hint "restricted"
>>
>>> * Add a new RestrictedConfigurationSource impl that uses only
>>> XWikiPropertiesConfigurationSource FTM
>>
>> Will you put RestrictedConfigurationSource in
>> xwiki-commons-configuration-api or in xwiki-platform? It needs to know
>> about "xwikiproperties" hint, which is specific to xwiki-platform.
>
> It's in platform-configuration-default, next to DefaultconfigurationSource.
+1 then.
Thanks,
Marius
>
> thanks
> -Vincent
>
>>
>> Thanks,
>> Marius
>>
>>>
>>> No need to deprecate anything.
>>>
>>> Thanks
>>> -Vincent
>>>
>>>> * Modify DefaultEnvironmentConfiguration to use:
>>>>
>>>> @Inject
>>>> @Named("restricted")
>>>> private Provider<ConfigurationSource> configurationSourceProvider;
>>>>
>>>> WDYT?
>>>>
>>>> Thanks
>>>> -Vincent
>>>>
>>>
>>> _______________________________________________
>>> devs mailing list
>>> [email protected]
>>> http://lists.xwiki.org/mailman/listinfo/devs
>> _______________________________________________
>> devs mailing list
>> [email protected]
>> http://lists.xwiki.org/mailman/listinfo/devs
>
> _______________________________________________
> devs mailing list
> [email protected]
> http://lists.xwiki.org/mailman/listinfo/devs
_______________________________________________
devs mailing list
[email protected]
http://lists.xwiki.org/mailman/listinfo/devs
