Re: [xwiki-users] polls and rights
Thanks, including it with context=new did the trick! Olaf Von: Edo Beutler ebeut...@synventis.com An: O Voss richyfourtyth...@yahoo.com; XWiki Users users@xwiki.org Gesendet: 13:22 Montag, 19.September 2011 Betreff: Re: [xwiki-users] polls and rights Hi Olaf Sounds like the non-admin user saves the page which needs programming rights - which removes the programming rights and saveWithProgrammingRights will result in an access denied. If you try with an admin user the page gets programming rights and it works. If I understand correctly you have these three lines in each page - which leads to each page needing programming rights. I think it might work if you put this code snippet in a separate page, saved by the admin, and just include it in the template. Cheers, Edo On Sat, Sep 17, 2011 at 6:14 PM, O Voss richyfourtyth...@yahoo.com wrote: Hi again, Now I tried to do this with templates. I have the following code in a class sheet: #set($sDoc = $xwiki.getDocument('MediaRating.Test')) #set($dummy = $sDoc.setContent($doc.getName())) #set($dummy = $sDoc.saveWithProgrammingRights()) What it should do is this: Each time a page that is based on the template is diplayed the name of that page is writen to the content of the page 'MediaRating.Test'. (In the following when I speak of 'creating a page' I always mean 'creating a page based on a template with the sheet containing the code above'.) I wrote the class, the sheet etc. all with an admin user. When I first tested with the same admin user, it worked fine. When I switched to a normal user and displayed the page that had been created by the admin user it still worked. But when I created a new page with the normal user I get an error: Failed to execute the [velocity] macro The probably most important line in the stack trace: Caused by: com.xpn.xwiki.XWikiException: Error number 9001 in 9: Access denied with no programming rights document MediaRating.Test What is most irritating is this: After switching back to an admin user I get the same error when creating new pages with this user too. It somehow looks as if the template has become 'dirty' by being touched from a normal user. Any hints? Cheers, Olaf Von: O Voss richyfourtyth...@yahoo.com An: XWiki Users users@xwiki.org Gesendet: 19:03 Dienstag, 13.September 2011 Betreff: Re: [xwiki-users] polls and rights Thanks! I thought I had tried that before, but I must have mixed that test with other things before. Now it worked indeed in a small hello world test I just did. I'll have to see if I also manage to get it working in templates and on automatically generated documents. But you've surely sent me in the right direction! Cheers, Olaf Von: Edo Beutler ebeut...@synventis.com An: O Voss richyfourtyth...@yahoo.com; XWiki Users users@xwiki.org Gesendet: 14:01 Montag, 12.September 2011 Betreff: Re: [xwiki-users] polls and rights Hi, Unfortunately I never used the polls application, so I don't know what it does / how it works. However I hope I can point you in the right direction. If a document is editable by XWikiGuest (anyone) anyone can change it, so yes, manipulation would be possible. I think what you are looking for are 'programming' rights. The script saving the vote needs to be saved from a user with programming rights. The document to which you attach the poll votes can than be saved using the method saveWithProgrammingRights() on the Document API. This allows you to let XWikiGuest users attach objects to a document they are not allowed to edit. Hope this helps Edo On Sat, Sep 10, 2011 at 12:55 PM, O Voss richyfourtyth...@yahoo.com wrote: Hi, I'm planning to do the following: Each document based on a certain template autmatically gets it's own standard poll. (No customisation.) Each user visiting the page can vote. Having looked at the polls application and played around with templates a bit, I think I know all the ingredients I will need. I have one problem though: Anyone who votes needs write permissions on the document that saves the votes (whereever that may be). If I'm not mistaken that means anyone who can vote theoretically can manipulate voting data by accessing these objects directly. Is there any way to secure this against manipulation a) from users who can vote? b) from the user who created the page? Probably that question is equivalent to: Is there a way to let users save changes on an object only via a script while hindering that very same user from editing it directly? Any hints are greatly appreciated! ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users
Re: [xwiki-users] polls and rights
Hi Olaf Sounds like the non-admin user saves the page which needs programming rights - which removes the programming rights and saveWithProgrammingRights will result in an access denied. If you try with an admin user the page gets programming rights and it works. If I understand correctly you have these three lines in each page - which leads to each page needing programming rights. I think it might work if you put this code snippet in a separate page, saved by the admin, and just include it in the template. Cheers, Edo On Sat, Sep 17, 2011 at 6:14 PM, O Voss richyfourtyth...@yahoo.com wrote: Hi again, Now I tried to do this with templates. I have the following code in a class sheet: #set($sDoc = $xwiki.getDocument('MediaRating.Test')) #set($dummy = $sDoc.setContent($doc.getName())) #set($dummy = $sDoc.saveWithProgrammingRights()) What it should do is this: Each time a page that is based on the template is diplayed the name of that page is writen to the content of the page 'MediaRating.Test'. (In the following when I speak of 'creating a page' I always mean 'creating a page based on a template with the sheet containing the code above'.) I wrote the class, the sheet etc. all with an admin user. When I first tested with the same admin user, it worked fine. When I switched to a normal user and displayed the page that had been created by the admin user it still worked. But when I created a new page with the normal user I get an error: Failed to execute the [velocity] macro The probably most important line in the stack trace: Caused by: com.xpn.xwiki.XWikiException: Error number 9001 in 9: Access denied with no programming rights document MediaRating.Test What is most irritating is this: After switching back to an admin user I get the same error when creating new pages with this user too. It somehow looks as if the template has become 'dirty' by being touched from a normal user. Any hints? Cheers, Olaf Von: O Voss richyfourtyth...@yahoo.com An: XWiki Users users@xwiki.org Gesendet: 19:03 Dienstag, 13.September 2011 Betreff: Re: [xwiki-users] polls and rights Thanks! I thought I had tried that before, but I must have mixed that test with other things before. Now it worked indeed in a small hello world test I just did. I'll have to see if I also manage to get it working in templates and on automatically generated documents. But you've surely sent me in the right direction! Cheers, Olaf Von: Edo Beutler ebeut...@synventis.com An: O Voss richyfourtyth...@yahoo.com; XWiki Users users@xwiki.org Gesendet: 14:01 Montag, 12.September 2011 Betreff: Re: [xwiki-users] polls and rights Hi, Unfortunately I never used the polls application, so I don't know what it does / how it works. However I hope I can point you in the right direction. If a document is editable by XWikiGuest (anyone) anyone can change it, so yes, manipulation would be possible. I think what you are looking for are 'programming' rights. The script saving the vote needs to be saved from a user with programming rights. The document to which you attach the poll votes can than be saved using the method saveWithProgrammingRights() on the Document API. This allows you to let XWikiGuest users attach objects to a document they are not allowed to edit. Hope this helps Edo On Sat, Sep 10, 2011 at 12:55 PM, O Voss richyfourtyth...@yahoo.com wrote: Hi, I'm planning to do the following: Each document based on a certain template autmatically gets it's own standard poll. (No customisation.) Each user visiting the page can vote. Having looked at the polls application and played around with templates a bit, I think I know all the ingredients I will need. I have one problem though: Anyone who votes needs write permissions on the document that saves the votes (whereever that may be). If I'm not mistaken that means anyone who can vote theoretically can manipulate voting data by accessing these objects directly. Is there any way to secure this against manipulation a) from users who can vote? b) from the user who created the page? Probably that question is equivalent to: Is there a way to let users save changes on an object only via a script while hindering that very same user from editing it directly? Any hints are greatly appreciated! ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users
Re: [xwiki-users] polls and rights
Hi again, Now I tried to do this with templates. I have the following code in a class sheet: #set($sDoc = $xwiki.getDocument('MediaRating.Test')) #set($dummy = $sDoc.setContent($doc.getName())) #set($dummy = $sDoc.saveWithProgrammingRights()) What it should do is this: Each time a page that is based on the template is diplayed the name of that page is writen to the content of the page 'MediaRating.Test'. (In the following when I speak of 'creating a page' I always mean 'creating a page based on a template with the sheet containing the code above'.) I wrote the class, the sheet etc. all with an admin user. When I first tested with the same admin user, it worked fine. When I switched to a normal user and displayed the page that had been created by the admin user it still worked. But when I created a new page with the normal user I get an error: Failed to execute the [velocity] macro The probably most important line in the stack trace: Caused by: com.xpn.xwiki.XWikiException: Error number 9001 in 9: Access denied with no programming rights document MediaRating.Test What is most irritating is this: After switching back to an admin user I get the same error when creating new pages with this user too. It somehow looks as if the template has become 'dirty' by being touched from a normal user. Any hints? Cheers, Olaf Von: O Voss richyfourtyth...@yahoo.com An: XWiki Users users@xwiki.org Gesendet: 19:03 Dienstag, 13.September 2011 Betreff: Re: [xwiki-users] polls and rights Thanks! I thought I had tried that before, but I must have mixed that test with other things before. Now it worked indeed in a small hello world test I just did. I'll have to see if I also manage to get it working in templates and on automatically generated documents. But you've surely sent me in the right direction! Cheers, Olaf Von: Edo Beutler ebeut...@synventis.com An: O Voss richyfourtyth...@yahoo.com; XWiki Users users@xwiki.org Gesendet: 14:01 Montag, 12.September 2011 Betreff: Re: [xwiki-users] polls and rights Hi, Unfortunately I never used the polls application, so I don't know what it does / how it works. However I hope I can point you in the right direction. If a document is editable by XWikiGuest (anyone) anyone can change it, so yes, manipulation would be possible. I think what you are looking for are 'programming' rights. The script saving the vote needs to be saved from a user with programming rights. The document to which you attach the poll votes can than be saved using the method saveWithProgrammingRights() on the Document API. This allows you to let XWikiGuest users attach objects to a document they are not allowed to edit. Hope this helps Edo On Sat, Sep 10, 2011 at 12:55 PM, O Voss richyfourtyth...@yahoo.com wrote: Hi, I'm planning to do the following: Each document based on a certain template autmatically gets it's own standard poll. (No customisation.) Each user visiting the page can vote. Having looked at the polls application and played around with templates a bit, I think I know all the ingredients I will need. I have one problem though: Anyone who votes needs write permissions on the document that saves the votes (whereever that may be). If I'm not mistaken that means anyone who can vote theoretically can manipulate voting data by accessing these objects directly. Is there any way to secure this against manipulation a) from users who can vote? b) from the user who created the page? Probably that question is equivalent to: Is there a way to let users save changes on an object only via a script while hindering that very same user from editing it directly? Any hints are greatly appreciated! ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users
Re: [xwiki-users] polls and rights
Thanks! I thought I had tried that before, but I must have mixed that test with other things before. Now it worked indeed in a small hello world test I just did. I'll have to see if I also manage to get it working in templates and on automatically generated documents. But you've surely sent me in the right direction! Cheers, Olaf Von: Edo Beutler ebeut...@synventis.com An: O Voss richyfourtyth...@yahoo.com; XWiki Users users@xwiki.org Gesendet: 14:01 Montag, 12.September 2011 Betreff: Re: [xwiki-users] polls and rights Hi, Unfortunately I never used the polls application, so I don't know what it does / how it works. However I hope I can point you in the right direction. If a document is editable by XWikiGuest (anyone) anyone can change it, so yes, manipulation would be possible. I think what you are looking for are 'programming' rights. The script saving the vote needs to be saved from a user with programming rights. The document to which you attach the poll votes can than be saved using the method saveWithProgrammingRights() on the Document API. This allows you to let XWikiGuest users attach objects to a document they are not allowed to edit. Hope this helps Edo On Sat, Sep 10, 2011 at 12:55 PM, O Voss richyfourtyth...@yahoo.com wrote: Hi, I'm planning to do the following: Each document based on a certain template autmatically gets it's own standard poll. (No customisation.) Each user visiting the page can vote. Having looked at the polls application and played around with templates a bit, I think I know all the ingredients I will need. I have one problem though: Anyone who votes needs write permissions on the document that saves the votes (whereever that may be). If I'm not mistaken that means anyone who can vote theoretically can manipulate voting data by accessing these objects directly. Is there any way to secure this against manipulation a) from users who can vote? b) from the user who created the page? Probably that question is equivalent to: Is there a way to let users save changes on an object only via a script while hindering that very same user from editing it directly? Any hints are greatly appreciated! ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users
Re: [xwiki-users] polls and rights
Hi, Unfortunately I never used the polls application, so I don't know what it does / how it works. However I hope I can point you in the right direction. If a document is editable by XWikiGuest (anyone) anyone can change it, so yes, manipulation would be possible. I think what you are looking for are 'programming' rights. The script saving the vote needs to be saved from a user with programming rights. The document to which you attach the poll votes can than be saved using the method saveWithProgrammingRights() on the Document API. This allows you to let XWikiGuest users attach objects to a document they are not allowed to edit. Hope this helps Edo On Sat, Sep 10, 2011 at 12:55 PM, O Voss richyfourtyth...@yahoo.com wrote: Hi, I'm planning to do the following: Each document based on a certain template autmatically gets it's own standard poll. (No customisation.) Each user visiting the page can vote. Having looked at the polls application and played around with templates a bit, I think I know all the ingredients I will need. I have one problem though: Anyone who votes needs write permissions on the document that saves the votes (whereever that may be). If I'm not mistaken that means anyone who can vote theoretically can manipulate voting data by accessing these objects directly. Is there any way to secure this against manipulation a) from users who can vote? b) from the user who created the page? Probably that question is equivalent to: Is there a way to let users save changes on an object only via a script while hindering that very same user from editing it directly? Any hints are greatly appreciated! ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users
[xwiki-users] polls and rights
Hi, I'm planning to do the following: Each document based on a certain template autmatically gets it's own standard poll. (No customisation.) Each user visiting the page can vote. Having looked at the polls application and played around with templates a bit, I think I know all the ingredients I will need. I have one problem though: Anyone who votes needs write permissions on the document that saves the votes (whereever that may be). If I'm not mistaken that means anyone who can vote theoretically can manipulate voting data by accessing these objects directly. Is there any way to secure this against manipulation a) from users who can vote? b) from the user who created the page? Probably that question is equivalent to: Is there a way to let users save changes on an object only via a script while hindering that very same user from editing it directly? Any hints are greatly appreciated! ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users