Hi Caleb, hi all, Although I am currently a bit far from the current development stage of XWiki, I would like to support this and any other initiative that depicts the security properties of XWiki.
When talking about wiki technologies with colleagues mainly from the biomedical arena, wiki's security is their main concern. In general, wikis are considered "open environments" where anybody can read and/or modify contents. In general they are not aware of the possibility of using platforms as XWiki for enterprise levels developments with a high level of security and access control granularity. I understand that at some extent XWiki security relies on the security settings of the web server, application server and database used. Even in this case, I think it will be really useful and welcome a page/pages maintained by the XWiki team that could be used to explain how secure is this environment. Ok, any of us, as Caleb did, can start this effort! Thanks for your work, Ricardo Caleb James DeLisle wrote: > It might sound silly but if there are no security requirements then there are > no security holes. > We all know when we see something which shouldn't happen but I don't think > there is any page > defining exactly what the security requirements are. > > 1. Users should not be able to spawn additional processes on the server. > 2. Users should not be able to commit changes to the database except through > the saveDocument function. > 3. Users should not be able to save documents without their name as the > author or contentAuthor as applicable. > 4. Guests should not be able to execute server side script except that which > was written and saved by a user. > > This list is doesn't cover much yet, I hope to see some additions and > discussion of may code may violate some > the rules as well as how we can have 'untrusted' code which is unable to > violate the rules. > > I propose we put up a design page for maintenance of this list. > > WDYT? > > Caleb > > _______________________________________________ > devs mailing list > devs@xwiki.org > http://lists.xwiki.org/mailman/listinfo/devs > > -- Ricardo RodrÃguez CTO eBiotic. Life Sciences, Data Modeling and Information Management Systems _______________________________________________ devs mailing list devs@xwiki.org http://lists.xwiki.org/mailman/listinfo/devs
