Hi,
Thanks for the piece of advice. Since I need access to the context and
would like to be able to put some warning in the logs if an error occurs
while checking the password, I think I would put the method in
com.xpn.xwiki.api.User rather than in XWikiUser. But of course I would
check for the Programming Rights to avoid Brute force.
Thanks,
Thomas
On Thu, Apr 25, 2013 at 5:02 PM, Vincent Massol <[email protected]> wrote:
> Hi,
>
> On Apr 25, 2013, at 12:15 AM, Denis Gervalle <[email protected]> wrote:
>
> > On Wed, Apr 24, 2013 at 3:38 PM, Thomas Delafosse <
> > [email protected]> wrote:
> >
> >> Hello all,
> >>
> >> I've been working on some improvements on user changing password (see
> >> XWiki-6882). In particular, I tried to make mandatory, for an user
> wanting
> >> to change his password, to submit also his current password, so that I
> >> could check it.
> >> The problem is that there is no way to make this check through
> velocity. I
> >> tried to use some groovy instead, but it breaks the functional tests.
> So I
> >> need to introduce a new method "checkPassword" accessible from velocity
> >> scripts. The question is, where should I implement it ?
> >> There are two possibilities
> >> 1) Wrote a new component
> >> 2) Add this method in an existing API.
> >> I don't really like 1), as I feel it would be strange to introduce a new
> >> service with only one method.
> >> In the meanwhile, for 2), I don't really know in which API this method
> >> could fit. Sergiu told me that I could perhaps put it in
> >> com.xpn.xwiki.plugin.rightsmanager.RightsManagerPluginApi,
> >> but that it wasn't really good either. Any ideas ?
> >>
> >
> > IMO, you should use an existing API that will be deprecated as soon as we
> > have a real security authentication module. However, I not think
> > com.xpn.xwiki.plugin.rightsmanager.RightsManagerPluginApi to be the right
> > place, I would see it more in com.xpn.xwiki.user.api.XWikiUser, with
> > the advantage that reaching it will require PR (preventing brute force
> > attack).
> >
> > In the new authentication module, the abstraction should be really
> > improved, allowing to change the password outside of the XWiki as well,
> if
> > the authentication backend support such feature. The notion of password
> > will need to be abstracted as well, since there is more then just
> password
> > for authentication. So, this will surely be another story, and it is
> > not foreseeable now.
>
> I agree with Denis here. Regarding the location in the existing code, I
> don't have any strong opinion.
>
> Thanks
> -Vincent
>
> _______________________________________________
> devs mailing list
> [email protected]
> http://lists.xwiki.org/mailman/listinfo/devs
>
_______________________________________________
devs mailing list
[email protected]
http://lists.xwiki.org/mailman/listinfo/devs
