I don't think velocity macros bring any security issue. However it makes sense that only admins (which have programming rights) are able to add a macro made available globally, and particularly in the Wysiwyg UI. Indeed it would be practical but not critical that you can test the macro before you make it available. It might be a bit complex to make this test feature automatic more than manual (try your macro in a page)
Ludovic Asiri Rathnayake a écrit : > Hi, > > > >> You are not speaking about security here but it's a very important >> subject. With what you described any user could be able to register >> any macro usable by anyone in which he can do whatever he want with >> the rigths of the user of the macro. >> >> The best would be that a macro created by a user is usable only by >> himself until this macro is promoted as standard macro in some admin >> UI. But this mean we can't just register the macro as standard >> component when it's saved, we would need at least the standard list >> and the users list of macros in the DefaultMacroManager or support >> this standard component VS users component in a more generic way like >> the component realms suggested by Vincent. >> >> Maybe the first step only register the macro if the users which >> modified it has programming rights. >> >> > > Yes, sounds good as a start. > > Thanks. > > - Asiri > _______________________________________________ > devs mailing list > [email protected] > http://lists.xwiki.org/mailman/listinfo/devs > > -- Ludovic Dubost Blog: http://blog.ludovic.org/ XWiki: http://www.xwiki.com Skype: ldubost GTalk: ldubost _______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
