Hello All, It's been a long time since we first discussed hardening XWiki Programming Rights by way of signing scripts in the wiki. As I recall the idea was spawned some time around 2011 in a conversation between me and Denis but it has had difficulty getting off the ground. Alex Busenius and I worked together on an early crypto API for XWiki but we fell short on getting it tied in to the scripting infrastructure. Denis Gervalle picked up the task and redeveloped the crypto API but still had not been able to reach a consensus on how the Signed Scripts should operate.
Thanks to James Kettle reporting some arguably-buggy behavior to us, I started thinking maybe there is an easier way. I would like to propose a more simple alternative to see if the community supports it. 1. Introduce a HAS_PR bit to XWikiDocument, if this bit is set then the document has programming rights. 2. Every time a document is saved (at the database level), if the contentAuthor does not have programming rights, we clear the bit. 3. The save action will set the bit if appropriate but other methods of saving a document will not (to prevent bad scripts from tricking users into granting PR). 4. Upon upgrade, we will do a database migration and any document which would have PR now will have the bit set. 5. XAR Exports will contain the value of the bit. The idea of the bit is that we can more clearly express intent, if we are quite sure that not only does the editor have PR but indeed they *want* to grant it to the script, only then do we set the bit. Furthermore the bit is resistant to schenanigans because it is inaccessible to velocity scripting, as is an XObject which could otherwise also be used for this purpose. The bit can reside in the XWD_ELEMENTS field of the xwikidoc table which is intended for this purpose. WDYT? Caleb _______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
