On Wed, May 30, 2012 at 5:02 PM, Sergiu Dumitriu <[email protected]> wrote:
> On 05/30/2012 10:18 AM, Vincent Massol wrote:
>>
>>
>> On May 30, 2012, at 4:13 PM, Marius Dumitru Florea wrote:
>>
>>> On Wed, May 30, 2012 at 4:35 PM, Vincent Massol<[email protected]>
>>> wrote:
>>>>
>>>>
>>>> On May 30, 2012, at 2:26 PM, Vincent Massol wrote:
>>>>
>>>>> Hi devs,
>>>>>
>>>>> We have the need of a Configuration Source component hint for
>>>>> implementation that only looks in non-modifiable sources (e.g.
>>>>> xwiki.properties).
>>>>>
>>>>> More specifically there's a security issue in some cases in allowing to
>>>>> use the current "default" configuration source which looks in space
>>>>> preferences, wiki preferences and the only in xwiki.properties.
>>>>>
>>>>> For example the Environment's permanent directory should not be
>>>>> modifiable from wiki pages (see
>>>>> http://jira.xwiki.org/browse/XCOMMONS-182).
>>>>>
>>>>> So here's the proposal:
>>>>>
>>>>> * Introduce a new RestrictedConfigurationSourceProvider implementation
>>>>> (in configuration-api) that does the same as the current
>>>>> ConfigurationSourceProvider but when looking up the CS, it looks for a CS
>>>>> with hint "restricted"
>>>>> * Deprecate the current XWikiPropertiesConfigurationSource (hint =
>>>>> "default")
>>>>> * Add a new XWikiPropertiesConfigurationSource with hint = "restricted"
>>>>
>>>>
>>>> Made a mistake here. Instead:
>>>>
>>>> * Introduce a new RestrictedConfigurationSourceProvider implementation
>>>> (in configuration-api) that does the same as the current
>>>> ConfigurationSourceProvider but when looking up the CS, it looks for a CS
>>>> with hint "restricted"
>>>
>>>
>>>> * Add a new RestrictedConfigurationSource impl that uses only
>>>> XWikiPropertiesConfigurationSource FTM
>>>
>>>
>>> Will you put RestrictedConfigurationSource in
>>> xwiki-commons-configuration-api or in xwiki-platform? It needs to know
>>> about "xwikiproperties" hint, which is specific to xwiki-platform.
>>
>>
>> It's in platform-configuration-default, next to
>> DefaultconfigurationSource.
>
>
> Then we have a commons component that doesn't work outside XWiki, unless
> those that want to use it also implement that "restricted" component?
The ConfigurationSource is in platform, not the Provider which provide
an empty ConfigurationSource if none can be lookuped.
>
>
>> thanks
>> -Vincent
>>
>>>
>>> Thanks,
>>> Marius
>>>
>>>>
>>>> No need to deprecate anything.
>>>>
>>>> Thanks
>>>> -Vincent
>>>>
>>>>> * Modify DefaultEnvironmentConfiguration to use:
>>>>>
>>>>> @Inject
>>>>> @Named("restricted")
>>>>> private Provider<ConfigurationSource> configurationSourceProvider;
>>>>>
>>>>> WDYT?
>>>>>
>>>>> Thanks
>>>>> -Vincent
>>>>>
>
>
> --
> Sergiu Dumitriu
> http://purl.org/net/sergiu/
>
> _______________________________________________
> devs mailing list
> [email protected]
> http://lists.xwiki.org/mailman/listinfo/devs
--
Thomas Mortagne
_______________________________________________
devs mailing list
[email protected]
http://lists.xwiki.org/mailman/listinfo/devs
