Ok, +1 then :) Thanks, Eduard
On Wed, Jul 4, 2012 at 12:41 PM, Thomas Mortagne <[email protected]>wrote: > On Wed, Jul 4, 2012 at 11:24 AM, Eduard Moraru <[email protected]> > wrote: > > Hi Thomas, > > > > Was going to +1 this, but then a question popped up... > > > > Does this mean that an admin (with no PR) could craft and import a xar > that > > contains a macro with document author xwiki:XWiki.Admin and that macro > will > > be registered and get PR, thus being able to inject code that will > execute > > with PR? > > You can't import a XAR in backup mode (keeping the author of the XAR) > if you don't have PR. > > Otherwise you would not need to do something that complex, you can > simply import a page with some groovy script in it and give it a PR > user as author in the XAR. And again the author of the wiki macro is > already what is used at init time so I'm not really proposing anything > new here. > > > > > Thanks, > > Eduard > > > > On Wed, Jul 4, 2012 at 11:23 AM, Thomas Mortagne > > <[email protected]>wrote: > > > >> Hi devs, > >> > >> Currently the wiki macro is looking at context user when a wiki macro > >> is modified. This is causing a lot of complexity and misunderstanding > >> so I would like to change that to look at document author instead. > >> > >> * all we at at startup is document author anyway so if you restart > >> that what XWiki will look at to register the macro so I don't see the > >> point in not doing the same thing at runtime > >> * context user makes more complex to make sure wiki macro are properly > >> registered in background thread like clustering > >> (http://jira.xwiki.org/browse/XWIKI-7318) and extension manager jobs > >> (http://jira.xwiki.org/browse/XWIKI-8004) > >> > >> WDYT ? > >> > >> Here is my +1 > >> > >> -- > >> Thomas Mortagne > >> _______________________________________________ > >> devs mailing list > >> [email protected] > >> http://lists.xwiki.org/mailman/listinfo/devs > >> > > _______________________________________________ > > devs mailing list > > [email protected] > > http://lists.xwiki.org/mailman/listinfo/devs > > > > -- > Thomas Mortagne > _______________________________________________ > devs mailing list > [email protected] > http://lists.xwiki.org/mailman/listinfo/devs > _______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
