On Wed, Jul 4, 2012 at 11:24 AM, Eduard Moraru <[email protected]> wrote: > Hi Thomas, > > Was going to +1 this, but then a question popped up... > > Does this mean that an admin (with no PR) could craft and import a xar that > contains a macro with document author xwiki:XWiki.Admin and that macro will > be registered and get PR, thus being able to inject code that will execute > with PR?
You can't import a XAR in backup mode (keeping the author of the XAR) if you don't have PR. Otherwise you would not need to do something that complex, you can simply import a page with some groovy script in it and give it a PR user as author in the XAR. And again the author of the wiki macro is already what is used at init time so I'm not really proposing anything new here. > > Thanks, > Eduard > > On Wed, Jul 4, 2012 at 11:23 AM, Thomas Mortagne > <[email protected]>wrote: > >> Hi devs, >> >> Currently the wiki macro is looking at context user when a wiki macro >> is modified. This is causing a lot of complexity and misunderstanding >> so I would like to change that to look at document author instead. >> >> * all we at at startup is document author anyway so if you restart >> that what XWiki will look at to register the macro so I don't see the >> point in not doing the same thing at runtime >> * context user makes more complex to make sure wiki macro are properly >> registered in background thread like clustering >> (http://jira.xwiki.org/browse/XWIKI-7318) and extension manager jobs >> (http://jira.xwiki.org/browse/XWIKI-8004) >> >> WDYT ? >> >> Here is my +1 >> >> -- >> Thomas Mortagne >> _______________________________________________ >> devs mailing list >> [email protected] >> http://lists.xwiki.org/mailman/listinfo/devs >> > _______________________________________________ > devs mailing list > [email protected] > http://lists.xwiki.org/mailman/listinfo/devs -- Thomas Mortagne _______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
