You mean that there is no way we could make functional tests work if I need to check the user password, since this should require PR? Should we give up this password verification then ?
On Mon, Apr 29, 2013 at 1:34 PM, Sergiu Dumitriu <[email protected]> wrote: > On 04/29/2013 06:22 AM, Thomas Delafosse wrote: > > Hi, > > > > Thanks for the piece of advice. Since I need access to the context > and > > would like to be able to put some warning in the logs if an error occurs > > while checking the password, I think I would put the method in > > com.xpn.xwiki.api.User rather than in XWikiUser. But of course I would > > check for the Programming Rights to avoid Brute force. > > This won't solve the failing tests problem, since they fail because we > don't have an Admin account with programming rights. > > > Thanks, > > > > Thomas > > > > > > On Thu, Apr 25, 2013 at 5:02 PM, Vincent Massol <[email protected]> > wrote: > > > >> Hi, > >> > >> On Apr 25, 2013, at 12:15 AM, Denis Gervalle <[email protected]> wrote: > >> > >>> On Wed, Apr 24, 2013 at 3:38 PM, Thomas Delafosse < > >>> [email protected]> wrote: > >>> > >>>> Hello all, > >>>> > >>>> I've been working on some improvements on user changing password > (see > >>>> XWiki-6882). In particular, I tried to make mandatory, for an user > >> wanting > >>>> to change his password, to submit also his current password, so that I > >>>> could check it. > >>>> The problem is that there is no way to make this check through > >> velocity. I > >>>> tried to use some groovy instead, but it breaks the functional tests. > >> So I > >>>> need to introduce a new method "checkPassword" accessible from > velocity > >>>> scripts. The question is, where should I implement it ? > >>>> There are two possibilities > >>>> 1) Wrote a new component > >>>> 2) Add this method in an existing API. > >>>> I don't really like 1), as I feel it would be strange to introduce a > new > >>>> service with only one method. > >>>> In the meanwhile, for 2), I don't really know in which API this method > >>>> could fit. Sergiu told me that I could perhaps put it in > >>>> com.xpn.xwiki.plugin.rightsmanager.RightsManagerPluginApi, > >>>> but that it wasn't really good either. Any ideas ? > >>>> > >>> > >>> IMO, you should use an existing API that will be deprecated as soon as > we > >>> have a real security authentication module. However, I not think > >>> com.xpn.xwiki.plugin.rightsmanager.RightsManagerPluginApi to be the > right > >>> place, I would see it more in com.xpn.xwiki.user.api.XWikiUser, with > >>> the advantage that reaching it will require PR (preventing brute force > >>> attack). > >>> > >>> In the new authentication module, the abstraction should be really > >>> improved, allowing to change the password outside of the XWiki as well, > >> if > >>> the authentication backend support such feature. The notion of password > >>> will need to be abstracted as well, since there is more then just > >> password > >>> for authentication. So, this will surely be another story, and it is > >>> not foreseeable now. > >> > >> I agree with Denis here. Regarding the location in the existing code, I > >> don't have any strong opinion. > >> > >> Thanks > >> -Vincent > > > -- > Sergiu Dumitriu > http://purl.org/net/sergiu > _______________________________________________ > devs mailing list > [email protected] > http://lists.xwiki.org/mailman/listinfo/devs > _______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
