Hi Ben,
Restricting access is a tricky issue. We have a publically available system in which hundreds of users upload templates. I've written a few thoughts on how to have a secure server environment here:
http://wiki.apache.org/jakarta-velocity/BuildingSecureWebApplications
"Abusing the system" is a matter of definition. If what you mean is not to allow them to mess with other users, you'll want to install a custom introspector to prevent calls to system classes and you'll need to modify #include and #parse to prevent users from viewing the contents of other users templates. You can write your own classloader now.
There's a patch in the works that will let you make the second of those modifications.
http://issues.apache.org/bugzilla/show_bug.cgi?id=28388
Otherwise, macros and directives seem pretty harmless to me.
Best, WILL
----- Original Message ----- From: "Ben" <[EMAIL PROTECTED]>
To: "Velocity" <velocity-user@jakarta.apache.org>
Sent: Sunday, January 23, 2005 10:04 PM
Subject: Restrict access to Velocity's capabilities
Hi
I have been using Velocity throughout my site and I am in awe with its capabilities. However there are situations where I need to restrict its capabilities to a certain extend.
For example, my site allows users to upload templates and be able to use a number of predefined variables. What I don't want them to do is to use Velocity to abuse the system, such as using directives and writing macros.
Is there a way to create a Velocity instance with directives and other features disabled? The only thing I need is reference to variables.
Thanks, Ben
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
