On 04/29/2013 08:22 AM, Thomas Delafosse wrote: > You mean that there is no way we could make functional tests work if I need > to check the user password, since this should require PR? Should we give up > this password verification then ?
I think I just found a way around the issue: add a dependency on the administration application, which brings the Admin account and its rights. > > On Mon, Apr 29, 2013 at 1:34 PM, Sergiu Dumitriu <[email protected]> wrote: > >> On 04/29/2013 06:22 AM, Thomas Delafosse wrote: >>> Hi, >>> >>> Thanks for the piece of advice. Since I need access to the context >> and >>> would like to be able to put some warning in the logs if an error occurs >>> while checking the password, I think I would put the method in >>> com.xpn.xwiki.api.User rather than in XWikiUser. But of course I would >>> check for the Programming Rights to avoid Brute force. >> >> This won't solve the failing tests problem, since they fail because we >> don't have an Admin account with programming rights. >> >>> Thanks, >>> >>> Thomas >>> >>> >>> On Thu, Apr 25, 2013 at 5:02 PM, Vincent Massol <[email protected]> >> wrote: >>> >>>> Hi, >>>> >>>> On Apr 25, 2013, at 12:15 AM, Denis Gervalle <[email protected]> wrote: >>>> >>>>> On Wed, Apr 24, 2013 at 3:38 PM, Thomas Delafosse < >>>>> [email protected]> wrote: >>>>> >>>>>> Hello all, >>>>>> >>>>>> I've been working on some improvements on user changing password >> (see >>>>>> XWiki-6882). In particular, I tried to make mandatory, for an user >>>> wanting >>>>>> to change his password, to submit also his current password, so that I >>>>>> could check it. >>>>>> The problem is that there is no way to make this check through >>>> velocity. I >>>>>> tried to use some groovy instead, but it breaks the functional tests. >>>> So I >>>>>> need to introduce a new method "checkPassword" accessible from >> velocity >>>>>> scripts. The question is, where should I implement it ? >>>>>> There are two possibilities >>>>>> 1) Wrote a new component >>>>>> 2) Add this method in an existing API. >>>>>> I don't really like 1), as I feel it would be strange to introduce a >> new >>>>>> service with only one method. >>>>>> In the meanwhile, for 2), I don't really know in which API this method >>>>>> could fit. Sergiu told me that I could perhaps put it in >>>>>> com.xpn.xwiki.plugin.rightsmanager.RightsManagerPluginApi, >>>>>> but that it wasn't really good either. Any ideas ? >>>>>> >>>>> >>>>> IMO, you should use an existing API that will be deprecated as soon as >> we >>>>> have a real security authentication module. However, I not think >>>>> com.xpn.xwiki.plugin.rightsmanager.RightsManagerPluginApi to be the >> right >>>>> place, I would see it more in com.xpn.xwiki.user.api.XWikiUser, with >>>>> the advantage that reaching it will require PR (preventing brute force >>>>> attack). >>>>> >>>>> In the new authentication module, the abstraction should be really >>>>> improved, allowing to change the password outside of the XWiki as well, >>>> if >>>>> the authentication backend support such feature. The notion of password >>>>> will need to be abstracted as well, since there is more then just >>>> password >>>>> for authentication. So, this will surely be another story, and it is >>>>> not foreseeable now. >>>> >>>> I agree with Denis here. Regarding the location in the existing code, I >>>> don't have any strong opinion. >>>> >>>> Thanks >>>> -Vincent -- Sergiu Dumitriu http://purl.org/net/sergiu _______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
