On Mon, Jun 22, 2015 at 12:17 PM, Eduard Moraru <[email protected]> wrote: > On Sat, Jun 20, 2015 at 9:36 AM, Thomas Mortagne <[email protected]> > wrote: > >> On Fri, Jun 19, 2015 at 5:42 PM, Eduard Moraru <[email protected]> >> wrote: >> > Hi, >> > >> > On Fri, Jun 19, 2015 at 5:42 PM, Thomas Mortagne < >> [email protected]> >> > wrote: >> > >> >> On Fri, Jun 19, 2015 at 4:25 PM, Eduard Moraru <[email protected]> >> >> wrote: >> >> > Hi, >> >> > >> >> > For 7.2, we are introducing a new right to control permissions on the >> >> > execution of scripts. >> >> > >> >> > Right now, out of all the scripts we support, Velocity is special and >> >> does >> >> > not require programming rights, since it uses only the public API. Of >> >> > course, if it has PR available, it can also access privileged API. All >> >> > other scripts (groovy, python, etc) require PR by default. >> >> > >> >> > The new 'script' right should be used to control "light"/sandboxed >> >> > scripting, such as velocity or any other scripts that are configured >> to >> >> > consider this new right when executing (assuming they override the >> >> standard >> >> > PR check). >> >> >> >> We actually do have another one already, a custom version of Groovy >> >> JSR223 engine done by Vincent. >> >> All that to say that you should probably also update >> >> org.xwiki.rendering.internal.macro.groovy.GroovyMacroPermissionPolicy >> >> in xwiki-platform-rendering-macro-groovy module. >> >> >> > >> > I have noticed it, but did not touch it since I see it has a custom way >> of >> > restricting execution (it sets a 'secure' flag in the groovy >> configuration >> > that tells it to consider if the macro transformation context is >> restricted >> > or not and, if not restricted, it does not need PR, but delegates to a >> > Groovy dedicated security customizer) and if that is not used/configured, >> > it falls back to programming rights. >> > >> > Do you think we need to or should do more than that for Groovy? If not >> > custom security customizer is set, then PR decide if a groovy script runs >> > or not (which is often the case). And if so, what do you propose? >> >> I know how it's working and the goal of this customisation is allow >> using Groovy without PR in which case it should require Script right >> exactly like Velocity does. It would not make much sense to not be >> allowed to do Velocity when you can do Groovy. >> > > I see. At first I did not understand what you mean, but now I do. > > Basically, you want "light"/limited groovy scripts (running with a secure > customizer) to be handled consistently, just like just velocity scripts, > which makes sense. > In other words, this: > https://github.com/xwiki/xwiki-platform/commit/a766d8a1d7db06f51e02fbced85a60b5295f07f8
yes > > Thanks, > Eduard > >> >> > >> > Thanks, >> > Eduard >> > >> >> >> >> > >> >> > Since the build is not in top shape due to the nested spaces changes, >> I >> >> > have currently committed my work on this in a branch, created a PR and >> >> > would like to profit from this occasion to ask the devs that are more >> >> > familiar with the rights system for some feedback on it. >> >> > >> >> > The Jira issue is http://jira.xwiki.org/browse/XWIKI-12171 >> >> > The PR is https://github.com/xwiki/xwiki-platform/pull/410 >> >> >> >> Looks good (all I could do is a minor comment on a comment :) ). >> >> >> >> > >> >> > Thanks, >> >> > Eduard >> >> > _______________________________________________ >> >> > devs mailing list >> >> > [email protected] >> >> > http://lists.xwiki.org/mailman/listinfo/devs >> >> >> >> >> >> >> >> -- >> >> Thomas Mortagne >> >> _______________________________________________ >> >> devs mailing list >> >> [email protected] >> >> http://lists.xwiki.org/mailman/listinfo/devs >> >> >> > _______________________________________________ >> > devs mailing list >> > [email protected] >> > http://lists.xwiki.org/mailman/listinfo/devs >> >> >> >> -- >> Thomas Mortagne >> _______________________________________________ >> devs mailing list >> [email protected] >> http://lists.xwiki.org/mailman/listinfo/devs >> > _______________________________________________ > devs mailing list > [email protected] > http://lists.xwiki.org/mailman/listinfo/devs -- Thomas Mortagne _______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
