Re: [xwiki-users] viewer=code
Thanks for the response (Caleb James DeLisle and Sergiu). I am using myxwiki.org so not sure if I have access to .vm files?! I think a way of disabling viewer=code should be available ASAP. As it is not obvious (especially for new xwiki users/developers) that any code is publicly acessible and there is no clear way of hiding Groovy + Velocity code from the public (or search engines) this feature poses a great security risk. Someone unaware of this feature (like I was) and using a 3rd party API which requires authentication could easily embed and revile username/password to the whole world. Ajdin -Original Message- From: users-boun...@xwiki.org [mailto:users-boun...@xwiki.org] On Behalf Of Sergiu Dumitriu Sent: 26 August 2009 22:24 To: XWiki Users Subject: Re: [xwiki-users] viewer=code Ajdin Brandic wrote: Is there an option (settings) to disable this (viewer=code) on a site? First thing to keep in mind is that any user that can *edit* documents on your wiki will always be able to retrieve the source code of documents. Now, if you want to disable the display of code to users, you should edit the following templates and add a rights check at the start: code.vm, xml.vm, changes*.vm, editwiki.vm, editwysiwyg.vm, editwysiwygnew.vm, inline.vm, plaincode.vm This snippet prevents guest access: #if($context.user == 'XWiki.XWikiGuest') #stop #end -- Sergiu Dumitriu http://purl.org/net/sergiu/ ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users NOTICE This message and any files transmitted with it is intended for the addressee only and may contain information that is confidential or privileged. Unauthorised use is strictly prohibited. If you are not the addressee, you should not read, copy, disclose or otherwise use this message, except for the purpose of delivery to the addressee. Any views or opinions expressed within this e-mail are those of the author and do not necessarily represent those of Coventry University. ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users
Re: [xwiki-users] viewer=code
Hi Ajdin,
Ajdin Brandic wrote:
Is there an option (settings) to disable this (viewer=code) on a site?
I don't know if there is a way to disable the viewer=code from the UI
but I know you can prevent it by editing templates/view.vm around this line:
#template(${viewer}.vm)
or by renaming templates/code.vm (but that leads to a blank page which
is not user friendly).
Btw, why do you want to hide the code?
Hope this helps,
Marius
Ajdin
NOTICE
This message and any files transmitted with it is intended for the addressee
only and may contain information that is confidential or privileged.
Unauthorised use is strictly prohibited. If you are not the addressee, you
should not read, copy, disclose or otherwise use this message, except for the
purpose of delivery to the addressee.
Any views or opinions expressed within this e-mail are those of the author
and do not necessarily represent those of Coventry University.
___
users mailing list
users@xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
___
users mailing list
users@xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
Re: [xwiki-users] viewer=code
Lets say I'm doing some user input checking to prevent spam. Since I am
using myxwiki.org service and have no access to the back end code I
could have some hard coded sensitive info in my script (ie. u/p to
twitter or facebook).
Ajdin
-Original Message-
From: users-boun...@xwiki.org [mailto:users-boun...@xwiki.org] On Behalf
Of Marius Dumitru Florea
Sent: 26 August 2009 16:07
To: XWiki Users
Subject: Re: [xwiki-users] viewer=code
Hi Ajdin,
Ajdin Brandic wrote:
Is there an option (settings) to disable this (viewer=code) on a site?
I don't know if there is a way to disable the viewer=code from the UI
but I know you can prevent it by editing templates/view.vm around this
line:
#template(${viewer}.vm)
or by renaming templates/code.vm (but that leads to a blank page which
is not user friendly).
Btw, why do you want to hide the code?
Hope this helps,
Marius
Ajdin
NOTICE
This message and any files transmitted with it is intended for the
addressee only and may contain information that is confidential or
privileged. Unauthorised use is strictly prohibited. If you are not the
addressee, you should not read, copy, disclose or otherwise use this
message, except for the purpose of delivery to the addressee.
Any views or opinions expressed within this e-mail are those of the
author and do not necessarily represent those of Coventry University.
___
users mailing list
users@xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
___
users mailing list
users@xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
___
users mailing list
users@xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
Re: [xwiki-users] viewer=code
Ajdin Brandic wrote:
Lets say I'm doing some user input checking to prevent spam. Since I am
using myxwiki.org service and have no access to the back end code I
could have some hard coded sensitive info in my script (ie. u/p to
twitter or facebook).
Afaik, there is no view-code right so any user with view access is able
to see the code of the page.
Marius
Ajdin
-Original Message-
From: users-boun...@xwiki.org [mailto:users-boun...@xwiki.org] On Behalf
Of Marius Dumitru Florea
Sent: 26 August 2009 16:07
To: XWiki Users
Subject: Re: [xwiki-users] viewer=code
Hi Ajdin,
Ajdin Brandic wrote:
Is there an option (settings) to disable this (viewer=code) on a site?
I don't know if there is a way to disable the viewer=code from the UI
but I know you can prevent it by editing templates/view.vm around this
line:
#template(${viewer}.vm)
or by renaming templates/code.vm (but that leads to a blank page which
is not user friendly).
Btw, why do you want to hide the code?
Hope this helps,
Marius
Ajdin
NOTICE
This message and any files transmitted with it is intended for the
addressee only and may contain information that is confidential or
privileged. Unauthorised use is strictly prohibited. If you are not the
addressee, you should not read, copy, disclose or otherwise use this
message, except for the purpose of delivery to the addressee.
Any views or opinions expressed within this e-mail are those of the
author and do not necessarily represent those of Coventry University.
___
users mailing list
users@xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
___
users mailing list
users@xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
___
users mailing list
users@xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
___
users mailing list
users@xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
Re: [xwiki-users] viewer=code
Will it show Groovy as well as Velocity code?
Ajdin
-Original Message-
From: users-boun...@xwiki.org [mailto:users-boun...@xwiki.org] On Behalf
Of Marius Dumitru Florea
Sent: 26 August 2009 17:18
To: XWiki Users
Subject: Re: [xwiki-users] viewer=code
Ajdin Brandic wrote:
Lets say I'm doing some user input checking to prevent spam. Since I
am using myxwiki.org service and have no access to the back end code I
could have some hard coded sensitive info in my script (ie. u/p to
twitter or facebook).
Afaik, there is no view-code right so any user with view access is able
to see the code of the page.
Marius
Ajdin
-Original Message-
From: users-boun...@xwiki.org [mailto:users-boun...@xwiki.org] On
Behalf Of Marius Dumitru Florea
Sent: 26 August 2009 16:07
To: XWiki Users
Subject: Re: [xwiki-users] viewer=code
Hi Ajdin,
Ajdin Brandic wrote:
Is there an option (settings) to disable this (viewer=code) on a
site?
I don't know if there is a way to disable the viewer=code from the UI
but I know you can prevent it by editing templates/view.vm around this
line:
#template(${viewer}.vm)
or by renaming templates/code.vm (but that leads to a blank page which
is not user friendly).
Btw, why do you want to hide the code?
Hope this helps,
Marius
Ajdin
NOTICE
This message and any files transmitted with it is intended for the
addressee only and may contain information that is confidential or
privileged. Unauthorised use is strictly prohibited. If you are not
the addressee, you should not read, copy, disclose or otherwise use
this message, except for the purpose of delivery to the addressee.
Any views or opinions expressed within this e-mail are those of the
author and do not necessarily represent those of Coventry University.
___
users mailing list
users@xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
___
users mailing list
users@xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
___
users mailing list
users@xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
___
users mailing list
users@xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
NOTICE
This message and any files transmitted with it is intended for the addressee
only and may contain information that is confidential or privileged.
Unauthorised use is strictly prohibited. If you are not the addressee, you
should not read, copy, disclose or otherwise use this message, except for the
purpose of delivery to the addressee.
Any views or opinions expressed within this e-mail are those of the author and
do not necessarily represent those of Coventry University.
___
users mailing list
users@xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
Re: [xwiki-users] viewer=code
viewer=code does not make any difference between any specific content,
it simply print the document content which can contains wiki syntax,
velocity , groovy etc... a better name would be viewer=source
On Wed, Aug 26, 2009 at 18:36, Ajdin Brandicaa6...@coventry.ac.uk wrote:
Will it show Groovy as well as Velocity code?
Ajdin
-Original Message-
From: users-boun...@xwiki.org [mailto:users-boun...@xwiki.org] On Behalf
Of Marius Dumitru Florea
Sent: 26 August 2009 17:18
To: XWiki Users
Subject: Re: [xwiki-users] viewer=code
Ajdin Brandic wrote:
Lets say I'm doing some user input checking to prevent spam. Since I
am using myxwiki.org service and have no access to the back end code I
could have some hard coded sensitive info in my script (ie. u/p to
twitter or facebook).
Afaik, there is no view-code right so any user with view access is able
to see the code of the page.
Marius
Ajdin
-Original Message-
From: users-boun...@xwiki.org [mailto:users-boun...@xwiki.org] On
Behalf Of Marius Dumitru Florea
Sent: 26 August 2009 16:07
To: XWiki Users
Subject: Re: [xwiki-users] viewer=code
Hi Ajdin,
Ajdin Brandic wrote:
Is there an option (settings) to disable this (viewer=code) on a
site?
I don't know if there is a way to disable the viewer=code from the UI
but I know you can prevent it by editing templates/view.vm around this
line:
#template(${viewer}.vm)
or by renaming templates/code.vm (but that leads to a blank page which
is not user friendly).
Btw, why do you want to hide the code?
Hope this helps,
Marius
Ajdin
NOTICE
This message and any files transmitted with it is intended for the
addressee only and may contain information that is confidential or
privileged. Unauthorised use is strictly prohibited. If you are not
the addressee, you should not read, copy, disclose or otherwise use
this message, except for the purpose of delivery to the addressee.
Any views or opinions expressed within this e-mail are those of the
author and do not necessarily represent those of Coventry University.
___
users mailing list
users@xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
___
users mailing list
users@xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
___
users mailing list
users@xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
___
users mailing list
users@xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
NOTICE
This message and any files transmitted with it is intended for the addressee
only and may contain information that is confidential or privileged.
Unauthorised use is strictly prohibited. If you are not the addressee, you
should not read, copy, disclose or otherwise use this message, except for the
purpose of delivery to the addressee.
Any views or opinions expressed within this e-mail are those of the author
and do not necessarily represent those of Coventry University.
___
users mailing list
users@xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
--
Thomas Mortagne
___
users mailing list
users@xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
Re: [xwiki-users] viewer=code
Blocking users from copying a script is tricky business. To start with,
an exception will cause the content to be dumped in the error message.
You might try this:
create a page (I will call it Main.banned, but you can call it what you
like.) This will contain your secret groovy script.
put this in it
public class MySecretClass{
public String go(){
//your code goes here, it can only output things through
//the return statement, println and errors will not be shown.
String out = hello world!;//my test code :)
return out;
}
}
NOTE: there are no % or {{groovy}} marks
Set the permissions of this page so that only you are allowed to view it.
create another page (which users are allowed to view.) in this page put:
{{velocity}}
#set($myclass = $xwiki.parseGroovyFromPage(Main.banned))
$myclass.go()
{{/velocity}}
now unregistered users and users without permission can view the page
with the velocity code (which executes the groovy page), but not view
the page with the groovy code (with viewer=code or otherwise.)
In the event of an exception in your groovy code, the user will see a
velocity exception, and the exact error (eg
StringIndexOutOfBoundsException -1) will be shown, but not the groovy code.
I have tested this and it works. A user without any special permissions
can copy the velocity code and run it themselves, but I can't see any
way for them to read the groovy code.
Hope this helps,
Caleb James DeLisle
Thomas Mortagne wrote:
viewer=code does not make any difference between any specific content,
it simply print the document content which can contains wiki syntax,
velocity , groovy etc... a better name would be viewer=source
On Wed, Aug 26, 2009 at 18:36, Ajdin Brandicaa6...@coventry.ac.uk wrote:
Will it show Groovy as well as Velocity code?
Ajdin
-Original Message-
From: users-boun...@xwiki.org [mailto:users-boun...@xwiki.org] On Behalf
Of Marius Dumitru Florea
Sent: 26 August 2009 17:18
To: XWiki Users
Subject: Re: [xwiki-users] viewer=code
Ajdin Brandic wrote:
Lets say I'm doing some user input checking to prevent spam. Since I
am using myxwiki.org service and have no access to the back end code I
could have some hard coded sensitive info in my script (ie. u/p to
twitter or facebook).
Afaik, there is no view-code right so any user with view access is able
to see the code of the page.
Marius
Ajdin
-Original Message-
From: users-boun...@xwiki.org [mailto:users-boun...@xwiki.org] On
Behalf Of Marius Dumitru Florea
Sent: 26 August 2009 16:07
To: XWiki Users
Subject: Re: [xwiki-users] viewer=code
Hi Ajdin,
Ajdin Brandic wrote:
Is there an option (settings) to disable this (viewer=code) on a
site?
I don't know if there is a way to disable the viewer=code from the UI
but I know you can prevent it by editing templates/view.vm around this
line:
#template(${viewer}.vm)
or by renaming templates/code.vm (but that leads to a blank page which
is not user friendly).
Btw, why do you want to hide the code?
Hope this helps,
Marius
Ajdin
NOTICE
This message and any files transmitted with it is intended for the
addressee only and may contain information that is confidential or
privileged. Unauthorised use is strictly prohibited. If you are not
the addressee, you should not read, copy, disclose or otherwise use
this message, except for the purpose of delivery to the addressee.
Any views or opinions expressed within this e-mail are those of the
author and do not necessarily represent those of Coventry University.
___
users mailing list
users@xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
___
users mailing list
users@xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
___
users mailing list
users@xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
___
users mailing list
users@xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
NOTICE
This message and any files transmitted with it is intended for the addressee
only and may contain information that is confidential or privileged.
Unauthorised use is strictly prohibited. If you are not the addressee, you
should not read, copy, disclose or otherwise use this message, except for
the purpose of delivery to the addressee.
Any views or opinions expressed within this e-mail are those of the author
and do not necessarily represent those of Coventry University.
___
users mailing list
users@xwiki.org
http://lists.xwiki.org/mailman/listinfo
Re: [xwiki-users] viewer=code
Ajdin Brandic wrote: Is there an option (settings) to disable this (viewer=code) on a site? First thing to keep in mind is that any user that can *edit* documents on your wiki will always be able to retrieve the source code of documents. Now, if you want to disable the display of code to users, you should edit the following templates and add a rights check at the start: code.vm, xml.vm, changes*.vm, editwiki.vm, editwysiwyg.vm, editwysiwygnew.vm, inline.vm, plaincode.vm This snippet prevents guest access: #if($context.user == 'XWiki.XWikiGuest') #stop #end -- Sergiu Dumitriu http://purl.org/net/sergiu/ ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users
