Thanks, Thomas, for the feedback. I`m moving ahead with merging it into master, since the build looks ready for it.
-Eduard On Mon, Jun 22, 2015 at 1:22 PM, Thomas Mortagne <[email protected]> wrote: > On Mon, Jun 22, 2015 at 12:17 PM, Eduard Moraru <[email protected]> > wrote: > > On Sat, Jun 20, 2015 at 9:36 AM, Thomas Mortagne < > [email protected]> > > wrote: > > > >> On Fri, Jun 19, 2015 at 5:42 PM, Eduard Moraru <[email protected]> > >> wrote: > >> > Hi, > >> > > >> > On Fri, Jun 19, 2015 at 5:42 PM, Thomas Mortagne < > >> [email protected]> > >> > wrote: > >> > > >> >> On Fri, Jun 19, 2015 at 4:25 PM, Eduard Moraru <[email protected] > > > >> >> wrote: > >> >> > Hi, > >> >> > > >> >> > For 7.2, we are introducing a new right to control permissions on > the > >> >> > execution of scripts. > >> >> > > >> >> > Right now, out of all the scripts we support, Velocity is special > and > >> >> does > >> >> > not require programming rights, since it uses only the public API. > Of > >> >> > course, if it has PR available, it can also access privileged API. > All > >> >> > other scripts (groovy, python, etc) require PR by default. > >> >> > > >> >> > The new 'script' right should be used to control "light"/sandboxed > >> >> > scripting, such as velocity or any other scripts that are > configured > >> to > >> >> > consider this new right when executing (assuming they override the > >> >> standard > >> >> > PR check). > >> >> > >> >> We actually do have another one already, a custom version of Groovy > >> >> JSR223 engine done by Vincent. > >> >> All that to say that you should probably also update > >> >> org.xwiki.rendering.internal.macro.groovy.GroovyMacroPermissionPolicy > >> >> in xwiki-platform-rendering-macro-groovy module. > >> >> > >> > > >> > I have noticed it, but did not touch it since I see it has a custom > way > >> of > >> > restricting execution (it sets a 'secure' flag in the groovy > >> configuration > >> > that tells it to consider if the macro transformation context is > >> restricted > >> > or not and, if not restricted, it does not need PR, but delegates to a > >> > Groovy dedicated security customizer) and if that is not > used/configured, > >> > it falls back to programming rights. > >> > > >> > Do you think we need to or should do more than that for Groovy? If not > >> > custom security customizer is set, then PR decide if a groovy script > runs > >> > or not (which is often the case). And if so, what do you propose? > >> > >> I know how it's working and the goal of this customisation is allow > >> using Groovy without PR in which case it should require Script right > >> exactly like Velocity does. It would not make much sense to not be > >> allowed to do Velocity when you can do Groovy. > >> > > > > I see. At first I did not understand what you mean, but now I do. > > > > Basically, you want "light"/limited groovy scripts (running with a secure > > customizer) to be handled consistently, just like just velocity scripts, > > which makes sense. > > In other words, this: > > > https://github.com/xwiki/xwiki-platform/commit/a766d8a1d7db06f51e02fbced85a60b5295f07f8 > > yes > > > > > Thanks, > > Eduard > > > >> > >> > > >> > Thanks, > >> > Eduard > >> > > >> >> > >> >> > > >> >> > Since the build is not in top shape due to the nested spaces > changes, > >> I > >> >> > have currently committed my work on this in a branch, created a PR > and > >> >> > would like to profit from this occasion to ask the devs that are > more > >> >> > familiar with the rights system for some feedback on it. > >> >> > > >> >> > The Jira issue is http://jira.xwiki.org/browse/XWIKI-12171 > >> >> > The PR is https://github.com/xwiki/xwiki-platform/pull/410 > >> >> > >> >> Looks good (all I could do is a minor comment on a comment :) ). > >> >> > >> >> > > >> >> > Thanks, > >> >> > Eduard > >> >> > _______________________________________________ > >> >> > devs mailing list > >> >> > [email protected] > >> >> > http://lists.xwiki.org/mailman/listinfo/devs > >> >> > >> >> > >> >> > >> >> -- > >> >> Thomas Mortagne > >> >> _______________________________________________ > >> >> devs mailing list > >> >> [email protected] > >> >> http://lists.xwiki.org/mailman/listinfo/devs > >> >> > >> > _______________________________________________ > >> > devs mailing list > >> > [email protected] > >> > http://lists.xwiki.org/mailman/listinfo/devs > >> > >> > >> > >> -- > >> Thomas Mortagne > >> _______________________________________________ > >> devs mailing list > >> [email protected] > >> http://lists.xwiki.org/mailman/listinfo/devs > >> > > _______________________________________________ > > devs mailing list > > [email protected] > > http://lists.xwiki.org/mailman/listinfo/devs > > > > -- > Thomas Mortagne > _______________________________________________ > devs mailing list > [email protected] > http://lists.xwiki.org/mailman/listinfo/devs > _______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
