Re: [xwiki-devs] [Proposal] Add notion of "Restricted" Configuration Source to XWiki Commons

Wed, 30 May 2012 08:03:08 -0700 

On 05/30/2012 10:18 AM, Vincent Massol wrote:


On May 30, 2012, at 4:13 PM, Marius Dumitru Florea wrote:


On Wed, May 30, 2012 at 4:35 PM, Vincent Massol<[email protected]>  wrote:


On May 30, 2012, at 2:26 PM, Vincent Massol wrote:


Hi devs,

We have the need of a Configuration Source component hint for implementation 
that only looks in non-modifiable sources (e.g. xwiki.properties).

More specifically there's a security issue in some cases in allowing to use the current 
"default" configuration source which looks in space preferences, wiki 
preferences and the only in xwiki.properties.

For example the Environment's permanent directory should not be modifiable from 
wiki pages (see http://jira.xwiki.org/browse/XCOMMONS-182).

So here's the proposal:

* Introduce a new RestrictedConfigurationSourceProvider implementation (in 
configuration-api) that does the same as the current ConfigurationSourceProvider but when 
looking up the CS, it looks for a CS with hint "restricted"
* Deprecate the current XWikiPropertiesConfigurationSource (hint = "default")
* Add a new XWikiPropertiesConfigurationSource with hint = "restricted"


Made a mistake here. Instead:

* Introduce a new RestrictedConfigurationSourceProvider implementation (in 
configuration-api) that does the same as the current ConfigurationSourceProvider but when 
looking up the CS, it looks for a CS with hint "restricted"



* Add a new RestrictedConfigurationSource impl that uses only 
XWikiPropertiesConfigurationSource FTM


Will you put RestrictedConfigurationSource in
xwiki-commons-configuration-api or in xwiki-platform? It needs to know
about "xwikiproperties" hint, which is specific to xwiki-platform.


It's in platform-configuration-default, next to DefaultconfigurationSource.



Then we have a commons component that doesn't work outside XWiki, unless 
those that want to use it also implement that "restricted" component?



thanks
-Vincent



Thanks,
Marius



No need to deprecate anything.

Thanks
-Vincent


* Modify DefaultEnvironmentConfiguration to use:

    @Inject
    @Named("restricted")
    private Provider<ConfigurationSource>  configurationSourceProvider;

WDYT?

Thanks
-Vincent




--
Sergiu Dumitriu
http://purl.org/net/sergiu/
_______________________________________________
devs mailing list
[email protected]
http://lists.xwiki.org/mailman/listinfo/devs






















					Reply via email to