Hi, Unfortunately I never used the polls application, so I don't know what it does / how it works. However I hope I can point you in the right direction.
If a document is editable by XWikiGuest (anyone) .... anyone can change it, so yes, manipulation would be possible. I think what you are looking for are 'programming' rights. The script saving the vote needs to be saved from a user with programming rights. The document to which you attach the poll votes can than be saved using the method saveWithProgrammingRights() on the Document API. This allows you to let XWikiGuest users attach objects to a document they are not allowed to edit. Hope this helps Edo On Sat, Sep 10, 2011 at 12:55 PM, O Voss <[email protected]> wrote: > Hi, > > I'm planning to do the following: > > Each document based on a certain template autmatically gets it's own standard > poll. (No customisation.) Each user visiting the page can vote. > > Having looked at the polls application and played around with templates a > bit, I think I know all the ingredients I will need. > > I have one problem though: Anyone who votes needs write permissions on the > document that saves the votes (whereever that may be). If I'm not mistaken > that means anyone who can vote theoretically can manipulate voting data by > accessing these objects directly. > > Is there any way to secure this against manipulation > > a) from users who can vote? > b) from the user who created the page? > > Probably that question is equivalent to: Is there a way to let users save > changes on an object only via a script while hindering that very same user > from editing it directly? > > Any hints are greatly appreciated! > _______________________________________________ > users mailing list > [email protected] > http://lists.xwiki.org/mailman/listinfo/users > _______________________________________________ users mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/users
