Re: [xwiki-users] viewer=code
Thanks for the response (Caleb James DeLisle and Sergiu). I am using myxwiki.org so not sure if I have access to .vm files?! I think a way of disabling viewer=code should be available ASAP. As it is not obvious (especially for new xwiki users/developers) that any code is publicly acessible and there is no clear way of hiding Groovy + Velocity code from the public (or search engines) this feature poses a great security risk. Someone unaware of this feature (like I was) and using a 3rd party API which requires authentication could easily embed and revile username/password to the whole world. Ajdin -Original Message- From: users-boun...@xwiki.org [mailto:users-boun...@xwiki.org] On Behalf Of Sergiu Dumitriu Sent: 26 August 2009 22:24 To: XWiki Users Subject: Re: [xwiki-users] viewer=code Ajdin Brandic wrote: Is there an option (settings) to disable this (viewer=code) on a site? First thing to keep in mind is that any user that can *edit* documents on your wiki will always be able to retrieve the source code of documents. Now, if you want to disable the display of code to users, you should edit the following templates and add a rights check at the start: code.vm, xml.vm, changes*.vm, editwiki.vm, editwysiwyg.vm, editwysiwygnew.vm, inline.vm, plaincode.vm This snippet prevents guest access: #if($context.user == 'XWiki.XWikiGuest') #stop #end -- Sergiu Dumitriu http://purl.org/net/sergiu/ ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users NOTICE This message and any files transmitted with it is intended for the addressee only and may contain information that is confidential or privileged. Unauthorised use is strictly prohibited. If you are not the addressee, you should not read, copy, disclose or otherwise use this message, except for the purpose of delivery to the addressee. Any views or opinions expressed within this e-mail are those of the author and do not necessarily represent those of Coventry University. ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users
Re: [xwiki-users] viewer=code
Hi Ajdin, Ajdin Brandic wrote: Is there an option (settings) to disable this (viewer=code) on a site? I don't know if there is a way to disable the viewer=code from the UI but I know you can prevent it by editing templates/view.vm around this line: #template(${viewer}.vm) or by renaming templates/code.vm (but that leads to a blank page which is not user friendly). Btw, why do you want to hide the code? Hope this helps, Marius Ajdin NOTICE This message and any files transmitted with it is intended for the addressee only and may contain information that is confidential or privileged. Unauthorised use is strictly prohibited. If you are not the addressee, you should not read, copy, disclose or otherwise use this message, except for the purpose of delivery to the addressee. Any views or opinions expressed within this e-mail are those of the author and do not necessarily represent those of Coventry University. ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users
Re: [xwiki-users] viewer=code
Lets say I'm doing some user input checking to prevent spam. Since I am using myxwiki.org service and have no access to the back end code I could have some hard coded sensitive info in my script (ie. u/p to twitter or facebook). Ajdin -Original Message- From: users-boun...@xwiki.org [mailto:users-boun...@xwiki.org] On Behalf Of Marius Dumitru Florea Sent: 26 August 2009 16:07 To: XWiki Users Subject: Re: [xwiki-users] viewer=code Hi Ajdin, Ajdin Brandic wrote: Is there an option (settings) to disable this (viewer=code) on a site? I don't know if there is a way to disable the viewer=code from the UI but I know you can prevent it by editing templates/view.vm around this line: #template(${viewer}.vm) or by renaming templates/code.vm (but that leads to a blank page which is not user friendly). Btw, why do you want to hide the code? Hope this helps, Marius Ajdin NOTICE This message and any files transmitted with it is intended for the addressee only and may contain information that is confidential or privileged. Unauthorised use is strictly prohibited. If you are not the addressee, you should not read, copy, disclose or otherwise use this message, except for the purpose of delivery to the addressee. Any views or opinions expressed within this e-mail are those of the author and do not necessarily represent those of Coventry University. ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users
Re: [xwiki-users] viewer=code
Ajdin Brandic wrote: Lets say I'm doing some user input checking to prevent spam. Since I am using myxwiki.org service and have no access to the back end code I could have some hard coded sensitive info in my script (ie. u/p to twitter or facebook). Afaik, there is no view-code right so any user with view access is able to see the code of the page. Marius Ajdin -Original Message- From: users-boun...@xwiki.org [mailto:users-boun...@xwiki.org] On Behalf Of Marius Dumitru Florea Sent: 26 August 2009 16:07 To: XWiki Users Subject: Re: [xwiki-users] viewer=code Hi Ajdin, Ajdin Brandic wrote: Is there an option (settings) to disable this (viewer=code) on a site? I don't know if there is a way to disable the viewer=code from the UI but I know you can prevent it by editing templates/view.vm around this line: #template(${viewer}.vm) or by renaming templates/code.vm (but that leads to a blank page which is not user friendly). Btw, why do you want to hide the code? Hope this helps, Marius Ajdin NOTICE This message and any files transmitted with it is intended for the addressee only and may contain information that is confidential or privileged. Unauthorised use is strictly prohibited. If you are not the addressee, you should not read, copy, disclose or otherwise use this message, except for the purpose of delivery to the addressee. Any views or opinions expressed within this e-mail are those of the author and do not necessarily represent those of Coventry University. ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users
Re: [xwiki-users] viewer=code
Will it show Groovy as well as Velocity code? Ajdin -Original Message- From: users-boun...@xwiki.org [mailto:users-boun...@xwiki.org] On Behalf Of Marius Dumitru Florea Sent: 26 August 2009 17:18 To: XWiki Users Subject: Re: [xwiki-users] viewer=code Ajdin Brandic wrote: Lets say I'm doing some user input checking to prevent spam. Since I am using myxwiki.org service and have no access to the back end code I could have some hard coded sensitive info in my script (ie. u/p to twitter or facebook). Afaik, there is no view-code right so any user with view access is able to see the code of the page. Marius Ajdin -Original Message- From: users-boun...@xwiki.org [mailto:users-boun...@xwiki.org] On Behalf Of Marius Dumitru Florea Sent: 26 August 2009 16:07 To: XWiki Users Subject: Re: [xwiki-users] viewer=code Hi Ajdin, Ajdin Brandic wrote: Is there an option (settings) to disable this (viewer=code) on a site? I don't know if there is a way to disable the viewer=code from the UI but I know you can prevent it by editing templates/view.vm around this line: #template(${viewer}.vm) or by renaming templates/code.vm (but that leads to a blank page which is not user friendly). Btw, why do you want to hide the code? Hope this helps, Marius Ajdin NOTICE This message and any files transmitted with it is intended for the addressee only and may contain information that is confidential or privileged. Unauthorised use is strictly prohibited. If you are not the addressee, you should not read, copy, disclose or otherwise use this message, except for the purpose of delivery to the addressee. Any views or opinions expressed within this e-mail are those of the author and do not necessarily represent those of Coventry University. ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users NOTICE This message and any files transmitted with it is intended for the addressee only and may contain information that is confidential or privileged. Unauthorised use is strictly prohibited. If you are not the addressee, you should not read, copy, disclose or otherwise use this message, except for the purpose of delivery to the addressee. Any views or opinions expressed within this e-mail are those of the author and do not necessarily represent those of Coventry University. ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users
Re: [xwiki-users] viewer=code
viewer=code does not make any difference between any specific content, it simply print the document content which can contains wiki syntax, velocity , groovy etc... a better name would be viewer=source On Wed, Aug 26, 2009 at 18:36, Ajdin Brandicaa6...@coventry.ac.uk wrote: Will it show Groovy as well as Velocity code? Ajdin -Original Message- From: users-boun...@xwiki.org [mailto:users-boun...@xwiki.org] On Behalf Of Marius Dumitru Florea Sent: 26 August 2009 17:18 To: XWiki Users Subject: Re: [xwiki-users] viewer=code Ajdin Brandic wrote: Lets say I'm doing some user input checking to prevent spam. Since I am using myxwiki.org service and have no access to the back end code I could have some hard coded sensitive info in my script (ie. u/p to twitter or facebook). Afaik, there is no view-code right so any user with view access is able to see the code of the page. Marius Ajdin -Original Message- From: users-boun...@xwiki.org [mailto:users-boun...@xwiki.org] On Behalf Of Marius Dumitru Florea Sent: 26 August 2009 16:07 To: XWiki Users Subject: Re: [xwiki-users] viewer=code Hi Ajdin, Ajdin Brandic wrote: Is there an option (settings) to disable this (viewer=code) on a site? I don't know if there is a way to disable the viewer=code from the UI but I know you can prevent it by editing templates/view.vm around this line: #template(${viewer}.vm) or by renaming templates/code.vm (but that leads to a blank page which is not user friendly). Btw, why do you want to hide the code? Hope this helps, Marius Ajdin NOTICE This message and any files transmitted with it is intended for the addressee only and may contain information that is confidential or privileged. Unauthorised use is strictly prohibited. If you are not the addressee, you should not read, copy, disclose or otherwise use this message, except for the purpose of delivery to the addressee. Any views or opinions expressed within this e-mail are those of the author and do not necessarily represent those of Coventry University. ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users NOTICE This message and any files transmitted with it is intended for the addressee only and may contain information that is confidential or privileged. Unauthorised use is strictly prohibited. If you are not the addressee, you should not read, copy, disclose or otherwise use this message, except for the purpose of delivery to the addressee. Any views or opinions expressed within this e-mail are those of the author and do not necessarily represent those of Coventry University. ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users -- Thomas Mortagne ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users
Re: [xwiki-users] viewer=code
Blocking users from copying a script is tricky business. To start with, an exception will cause the content to be dumped in the error message. You might try this: create a page (I will call it Main.banned, but you can call it what you like.) This will contain your secret groovy script. put this in it public class MySecretClass{ public String go(){ //your code goes here, it can only output things through //the return statement, println and errors will not be shown. String out = hello world!;//my test code :) return out; } } NOTE: there are no % or {{groovy}} marks Set the permissions of this page so that only you are allowed to view it. create another page (which users are allowed to view.) in this page put: {{velocity}} #set($myclass = $xwiki.parseGroovyFromPage(Main.banned)) $myclass.go() {{/velocity}} now unregistered users and users without permission can view the page with the velocity code (which executes the groovy page), but not view the page with the groovy code (with viewer=code or otherwise.) In the event of an exception in your groovy code, the user will see a velocity exception, and the exact error (eg StringIndexOutOfBoundsException -1) will be shown, but not the groovy code. I have tested this and it works. A user without any special permissions can copy the velocity code and run it themselves, but I can't see any way for them to read the groovy code. Hope this helps, Caleb James DeLisle Thomas Mortagne wrote: viewer=code does not make any difference between any specific content, it simply print the document content which can contains wiki syntax, velocity , groovy etc... a better name would be viewer=source On Wed, Aug 26, 2009 at 18:36, Ajdin Brandicaa6...@coventry.ac.uk wrote: Will it show Groovy as well as Velocity code? Ajdin -Original Message- From: users-boun...@xwiki.org [mailto:users-boun...@xwiki.org] On Behalf Of Marius Dumitru Florea Sent: 26 August 2009 17:18 To: XWiki Users Subject: Re: [xwiki-users] viewer=code Ajdin Brandic wrote: Lets say I'm doing some user input checking to prevent spam. Since I am using myxwiki.org service and have no access to the back end code I could have some hard coded sensitive info in my script (ie. u/p to twitter or facebook). Afaik, there is no view-code right so any user with view access is able to see the code of the page. Marius Ajdin -Original Message- From: users-boun...@xwiki.org [mailto:users-boun...@xwiki.org] On Behalf Of Marius Dumitru Florea Sent: 26 August 2009 16:07 To: XWiki Users Subject: Re: [xwiki-users] viewer=code Hi Ajdin, Ajdin Brandic wrote: Is there an option (settings) to disable this (viewer=code) on a site? I don't know if there is a way to disable the viewer=code from the UI but I know you can prevent it by editing templates/view.vm around this line: #template(${viewer}.vm) or by renaming templates/code.vm (but that leads to a blank page which is not user friendly). Btw, why do you want to hide the code? Hope this helps, Marius Ajdin NOTICE This message and any files transmitted with it is intended for the addressee only and may contain information that is confidential or privileged. Unauthorised use is strictly prohibited. If you are not the addressee, you should not read, copy, disclose or otherwise use this message, except for the purpose of delivery to the addressee. Any views or opinions expressed within this e-mail are those of the author and do not necessarily represent those of Coventry University. ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users NOTICE This message and any files transmitted with it is intended for the addressee only and may contain information that is confidential or privileged. Unauthorised use is strictly prohibited. If you are not the addressee, you should not read, copy, disclose or otherwise use this message, except for the purpose of delivery to the addressee. Any views or opinions expressed within this e-mail are those of the author and do not necessarily represent those of Coventry University. ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo
Re: [xwiki-users] viewer=code
Ajdin Brandic wrote: Is there an option (settings) to disable this (viewer=code) on a site? First thing to keep in mind is that any user that can *edit* documents on your wiki will always be able to retrieve the source code of documents. Now, if you want to disable the display of code to users, you should edit the following templates and add a rights check at the start: code.vm, xml.vm, changes*.vm, editwiki.vm, editwysiwyg.vm, editwysiwygnew.vm, inline.vm, plaincode.vm This snippet prevents guest access: #if($context.user == 'XWiki.XWikiGuest') #stop #end -- Sergiu Dumitriu http://purl.org/net/sergiu/ ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users