Re: [xwiki-users] Programming rights in virtual wiki
On Fri, Mar 27, 2009 at 5:07 PM, hel-o wrote: > don't know if thats another use case but at the moment i cant copy pages in > the virtual wiki. It works in the main wiki and i tried in the virtual wiki > with the global user and the local user. When i copy a page sucess message > appears, but when i click the link for the new page, the page does not > exist. > http://jira.xwiki.org/jira/browse/XE-374 Actions->Copy of document doesn't work, but claims successNiels http://nielsmayer.com ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users
Re: [xwiki-users] Programming rights in virtual wiki
Hi, don't know if thats another use case but at the moment i cant copy pages in the virtual wiki. It works in the main wiki and i tried in the virtual wiki with the global user and the local user. When i copy a page sucess message appears, but when i click the link for the new page, the page does not exist. Also the ImportPages Page of the Import/Export Application did not work when i imported it with the local user. Saved it with the global user and it worked. For me its not really transparent what works and what does not work. And its true that you don't need programming privileges for velocity but you need it when you access the restricted API with velocity. Well maybe its just a documentation issue:) hel. By the way XWiki 1.8 is great - hel. h...@hel.at -- View this message in context: http://n2.nabble.com/Programming-rights-in-virtual-wiki-tp2538608p2547324.html Sent from the XWiki- Users mailing list archive at Nabble.com. ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users
Re: [xwiki-users] Programming rights in virtual wiki
hel-o wrote: > Hi, > > use case would be, that any action a local user might want to do that needs > programming rights is not possible (using codes, macros, applications (Import > Export Application) from the code zone or creating own scripts using > Velocity). And i would not like to grant every user who needs programming > rights, because he wants to do one of the things mentioned above a global > account. Note that unlike all the other rights, programming does not apply to the current user, but to the user that last saved the document. Also, as Vincent said, most of the API is public and runs without programming rights. > For me it is not that much of a problem, because i have also an global > account and i really understand your concerns about security. But its also > limiting the abilities of a virtual wiki environment. > > But what i get from what your saying is, that its not possible to restrict > the programming rights for a local user only to his virtual wiki. No, because you get access to internal classes that control the site. The public API is obeying access rights, but with programming rights you can go past them, inside our Java SPI. -- Sergiu Dumitriu http://purl.org/net/sergiu/ ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users
Re: [xwiki-users] Programming rights in virtual wiki
On Fri, Mar 27, 2009 at 16:50, Vincent Massol wrote: > > On Mar 27, 2009, at 4:41 PM, hel-o wrote: > >> >> Hi, >> >> use case would be, that any action a local user might want to do >> that needs programming rights is not possible (using codes, macros, >> applications (Import Export Application) from the code zone or >> creating own scripts using Velocity). And i would not like to grant >> every user who needs programming rights, because he wants to do one >> of the things mentioned above a global account. > > Velocity doesn't require programming rights. > > Only Groovy and some Java APIs do require programming rights. For > Groovy I hope we'll fix this in the future by having it run in its own > sandbox. For the APIs it's done voluntarily. Accessing the private > XWiki instance, the XWikiDocument or XWikiContext is not supposed to > happen for users. These APIs are meant to be used internally only. If > you're missing a given public API you should tell us and we can see on > a case by case basis if we could make it available in the public API. Or you can provide additional public api by writing a plugin. > > Thanks > -Vincent > >> For me it is not that much of a problem, because i have also an >> global account and i really understand your concerns about security. >> But its also limiting the abilities of a virtual wiki environment. >> >> But what i get from what your saying is, that its not possible to >> restrict the programming rights for a local user only to his virtual >> wiki. >> >> hel. >> >> >> >> >> On Mar 27, 2009, at 3:48 PM, Sergiu Dumitriu wrote: >> >>> Vincent Massol wrote: Hi Hel, On Mar 27, 2009, at 2:28 PM, hel-o wrote: > Hi, > > is there a special reason for that, Is this is for security issues since one wiki in a farm could endanger all the wikis in the farm very easily since a local user would get access to a powerful API. >>> >>> To be more detailed, a user with programming rights has absolute >>> access >>> on the whole server (using Groovy), and in a public farm if a wiki >>> admin >>> gives himself programming rights, he can seriously affect the entire >>> server. Imagine if somebody could do anything on the whole Blogspot >>> farm... >>> > and is it planned for a future release to have the possibility to > have programming rights in a virtual wiki? No. >>> >>> It depends. There is an issue on jira.xwiki.org about having an >>> option >>> for this, defaulting to false, but there's no requirement for this. >>> Programming rights are really a dangerous thing, I don't see any >>> need to >>> grant them to anybody except one global account that decides what is >>> safe. >> >> Indeed, if you need programming rights for a given api maybe a better >> way would be to provide that API without programming rights (if it's >> safe). >> What's your use case? >> >> Thanks >> -Vincent >> > > hel. > > > Hel-o, > > Only users registered on the main wiki can be granted programming > access > level. But they can save pages with the programming rights on sub > wikis. > > Jerome. > > hel-o wrote: >> Hi, >> >> is there a way to give programming rights to a user in a virtual >> wiki? >> >> Thanks >> hel. >> ___ >> users mailing list >> users@xwiki.org >> http://lists.xwiki.org/mailman/listinfo/users >> >> >> >> >> - >> hel. >> h...@hel.at >> >> -- >> View this message in context: >> http://n2.nabble.com/Programming-rights-in-virtual-wiki-tp2538608p2544919.html >> Sent from the XWiki- Users mailing list archive at Nabble.com. >> >> ___ >> users mailing list >> users@xwiki.org >> http://lists.xwiki.org/mailman/listinfo/users > > ___ > users mailing list > users@xwiki.org > http://lists.xwiki.org/mailman/listinfo/users > -- Thomas Mortagne ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users
Re: [xwiki-users] Programming rights in virtual wiki
On Mar 27, 2009, at 4:41 PM, hel-o wrote: > > Hi, > > use case would be, that any action a local user might want to do > that needs programming rights is not possible (using codes, macros, > applications (Import Export Application) from the code zone or > creating own scripts using Velocity). And i would not like to grant > every user who needs programming rights, because he wants to do one > of the things mentioned above a global account. Velocity doesn't require programming rights. Only Groovy and some Java APIs do require programming rights. For Groovy I hope we'll fix this in the future by having it run in its own sandbox. For the APIs it's done voluntarily. Accessing the private XWiki instance, the XWikiDocument or XWikiContext is not supposed to happen for users. These APIs are meant to be used internally only. If you're missing a given public API you should tell us and we can see on a case by case basis if we could make it available in the public API. Thanks -Vincent > For me it is not that much of a problem, because i have also an > global account and i really understand your concerns about security. > But its also limiting the abilities of a virtual wiki environment. > > But what i get from what your saying is, that its not possible to > restrict the programming rights for a local user only to his virtual > wiki. > > hel. > > > > > On Mar 27, 2009, at 3:48 PM, Sergiu Dumitriu wrote: > >> Vincent Massol wrote: >>> Hi Hel, >>> >>> On Mar 27, 2009, at 2:28 PM, hel-o wrote: >>> Hi, is there a special reason for that, >>> >>> Is this is for security issues since one wiki in a farm could >>> endanger >>> all the wikis in the farm very easily since a local user would get >>> access to a powerful API. >> >> To be more detailed, a user with programming rights has absolute >> access >> on the whole server (using Groovy), and in a public farm if a wiki >> admin >> gives himself programming rights, he can seriously affect the entire >> server. Imagine if somebody could do anything on the whole Blogspot >> farm... >> and is it planned for a future release to have the possibility to have programming rights in a virtual wiki? >>> >>> No. >> >> It depends. There is an issue on jira.xwiki.org about having an >> option >> for this, defaulting to false, but there's no requirement for this. >> Programming rights are really a dangerous thing, I don't see any >> need to >> grant them to anybody except one global account that decides what is >> safe. > > Indeed, if you need programming rights for a given api maybe a better > way would be to provide that API without programming rights (if it's > safe). > What's your use case? > > Thanks > -Vincent > hel. Hel-o, Only users registered on the main wiki can be granted programming access level. But they can save pages with the programming rights on sub wikis. Jerome. hel-o wrote: > Hi, > > is there a way to give programming rights to a user in a virtual > wiki? > > Thanks > hel. > ___ > users mailing list > users@xwiki.org > http://lists.xwiki.org/mailman/listinfo/users > > > > > - > hel. > h...@hel.at > > -- > View this message in context: > http://n2.nabble.com/Programming-rights-in-virtual-wiki-tp2538608p2544919.html > Sent from the XWiki- Users mailing list archive at Nabble.com. > > ___ > users mailing list > users@xwiki.org > http://lists.xwiki.org/mailman/listinfo/users ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users
Re: [xwiki-users] Programming rights in virtual wiki
Hi, use case would be, that any action a local user might want to do that needs programming rights is not possible (using codes, macros, applications (Import Export Application) from the code zone or creating own scripts using Velocity). And i would not like to grant every user who needs programming rights, because he wants to do one of the things mentioned above a global account. For me it is not that much of a problem, because i have also an global account and i really understand your concerns about security. But its also limiting the abilities of a virtual wiki environment. But what i get from what your saying is, that its not possible to restrict the programming rights for a local user only to his virtual wiki. hel. On Mar 27, 2009, at 3:48 PM, Sergiu Dumitriu wrote: > Vincent Massol wrote: >> Hi Hel, >> >> On Mar 27, 2009, at 2:28 PM, hel-o wrote: >> >>> Hi, >>> >>> is there a special reason for that, >> >> Is this is for security issues since one wiki in a farm could >> endanger >> all the wikis in the farm very easily since a local user would get >> access to a powerful API. > > To be more detailed, a user with programming rights has absolute > access > on the whole server (using Groovy), and in a public farm if a wiki > admin > gives himself programming rights, he can seriously affect the entire > server. Imagine if somebody could do anything on the whole Blogspot > farm... > >>> and is it planned for a future release to have the possibility to >>> have programming rights in a virtual wiki? >> >> No. > > It depends. There is an issue on jira.xwiki.org about having an option > for this, defaulting to false, but there's no requirement for this. > Programming rights are really a dangerous thing, I don't see any > need to > grant them to anybody except one global account that decides what is > safe. Indeed, if you need programming rights for a given api maybe a better way would be to provide that API without programming rights (if it's safe). What's your use case? Thanks -Vincent >>> >>> hel. >>> >>> >>> Hel-o, >>> >>> Only users registered on the main wiki can be granted programming >>> access >>> level. But they can save pages with the programming rights on sub >>> wikis. >>> >>> Jerome. >>> >>> hel-o wrote: Hi, is there a way to give programming rights to a user in a virtual wiki? Thanks hel. ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users - hel. h...@hel.at -- View this message in context: http://n2.nabble.com/Programming-rights-in-virtual-wiki-tp2538608p2544919.html Sent from the XWiki- Users mailing list archive at Nabble.com. ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users
Re: [xwiki-users] Programming rights in virtual wiki
On Mar 27, 2009, at 3:48 PM, Sergiu Dumitriu wrote: > Vincent Massol wrote: >> Hi Hel, >> >> On Mar 27, 2009, at 2:28 PM, hel-o wrote: >> >>> Hi, >>> >>> is there a special reason for that, >> >> Is this is for security issues since one wiki in a farm could >> endanger >> all the wikis in the farm very easily since a local user would get >> access to a powerful API. > > To be more detailed, a user with programming rights has absolute > access > on the whole server (using Groovy), and in a public farm if a wiki > admin > gives himself programming rights, he can seriously affect the entire > server. Imagine if somebody could do anything on the whole Blogspot > farm... > >>> and is it planned for a future release to have the possibility to >>> have programming rights in a virtual wiki? >> >> No. > > It depends. There is an issue on jira.xwiki.org about having an option > for this, defaulting to false, but there's no requirement for this. > Programming rights are really a dangerous thing, I don't see any > need to > grant them to anybody except one global account that decides what is > safe. Indeed, if you need programming rights for a given api maybe a better way would be to provide that API without programming rights (if it's safe). What's your use case? Thanks -Vincent >>> >>> hel. >>> >>> >>> Hel-o, >>> >>> Only users registered on the main wiki can be granted programming >>> access >>> level. But they can save pages with the programming rights on sub >>> wikis. >>> >>> Jerome. >>> >>> hel-o wrote: Hi, is there a way to give programming rights to a user in a virtual wiki? Thanks hel. ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users
Re: [xwiki-users] Programming rights in virtual wiki
Vincent Massol wrote: > Hi Hel, > > On Mar 27, 2009, at 2:28 PM, hel-o wrote: > >> Hi, >> >> is there a special reason for that, > > Is this is for security issues since one wiki in a farm could endanger > all the wikis in the farm very easily since a local user would get > access to a powerful API. To be more detailed, a user with programming rights has absolute access on the whole server (using Groovy), and in a public farm if a wiki admin gives himself programming rights, he can seriously affect the entire server. Imagine if somebody could do anything on the whole Blogspot farm... >> and is it planned for a future release to have the possibility to >> have programming rights in a virtual wiki? > > No. It depends. There is an issue on jira.xwiki.org about having an option for this, defaulting to false, but there's no requirement for this. Programming rights are really a dangerous thing, I don't see any need to grant them to anybody except one global account that decides what is safe. > >> hel. >> >> >> Hel-o, >> >> Only users registered on the main wiki can be granted programming >> access >> level. But they can save pages with the programming rights on sub >> wikis. >> >> Jerome. >> >> hel-o wrote: >>> Hi, >>> >>> is there a way to give programming rights to a user in a virtual >>> wiki? >>> >>> Thanks >>> hel. -- Sergiu Dumitriu http://purl.org/net/sergiu/ ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users
Re: [xwiki-users] Programming rights in virtual wiki
Hi Hel, On Mar 27, 2009, at 2:28 PM, hel-o wrote: > > Hi, > > is there a special reason for that, Is this is for security issues since one wiki in a farm could endanger all the wikis in the farm very easily since a local user would get access to a powerful API. > and is it planned for a future release to have the possibility to > have programming rights in a virtual wiki? No. Thanks -Vincent > hel. > > > Hel-o, > > Only users registered on the main wiki can be granted programming > access > level. But they can save pages with the programming rights on sub > wikis. > > Jerome. > > hel-o wrote: >> Hi, >> >> is there a way to give programming rights to a user in a virtual >> wiki? >> >> Thanks >> hel. ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users
Re: [xwiki-users] Programming rights in virtual wiki
Hi, is there a special reason for that, and is it planned for a future release to have the possibility to have programming rights in a virtual wiki? hel. Hel-o, Only users registered on the main wiki can be granted programming access level. But they can save pages with the programming rights on sub wikis. Jerome. hel-o wrote: > Hi, > > is there a way to give programming rights to a user in a virtual wiki? > > Thanks > hel. > > - > hel. > h...@hel.at > ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users - hel. h...@hel.at -- View this message in context: http://n2.nabble.com/Programming-rights-in-virtual-wiki-tp2538608p2544266.html Sent from the XWiki- Users mailing list archive at Nabble.com. ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users
Re: [xwiki-users] Programming rights in virtual wiki
Hel-o, Only users registered on the main wiki can be granted programming access level. But they can save pages with the programming rights on sub wikis. Jerome. hel-o wrote: > Hi, > > is there a way to give programming rights to a user in a virtual wiki? > > Thanks > hel. > > - > hel. > h...@hel.at > ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users
[xwiki-users] Programming rights in virtual wiki
Hi, is there a way to give programming rights to a user in a virtual wiki? Thanks hel. - hel. h...@hel.at -- View this message in context: http://n2.nabble.com/Programming-rights-in-virtual-wiki-tp2538608p2538608.html Sent from the XWiki- Users mailing list archive at Nabble.com. ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users