Ajdin Brandic wrote: > Thanks for the response (Caleb James DeLisle and Sergiu). I am using > myxwiki.org so not sure if I have access to .vm files?!
You can. You must: 1. Edit those files locally on your computer 2. See which wiki document is set as your current skin (normally it's XWiki.DefaultSkin) 3. Upload the changed VMs as attachment of the skin document. > I think a way of disabling viewer=code should be available ASAP. > > As it is not obvious (especially for new xwiki users/developers) that > any code is publicly acessible and there is no clear way of hiding > Groovy + Velocity code from the public (or search engines) this > "feature" poses a great security risk. Someone unaware of this feature > (like I was) and using a 3rd party API which requires authentication > could easily embed and revile username/password to the whole world. > > Ajdin > > > > -----Original Message----- > From: users-boun...@xwiki.org [mailto:users-boun...@xwiki.org] On Behalf > Of Sergiu Dumitriu > Sent: 26 August 2009 22:24 > To: XWiki Users > Subject: Re: [xwiki-users] viewer=code > > Ajdin Brandic wrote: >> Is there an option (settings) to disable this (viewer=code) on a site? > > First thing to keep in mind is that any user that can *edit* documents > on your wiki will always be able to retrieve the source code of > documents. > > Now, if you want to disable the display of code to users, you should > edit the following templates and add a rights check at the start: > > code.vm, xml.vm, changes*.vm, editwiki.vm, editwysiwyg.vm, > editwysiwygnew.vm, inline.vm, plaincode.vm > > > This snippet prevents guest access: > > #if($context.user == 'XWiki.XWikiGuest') > #stop > #end > -- Sergiu Dumitriu http://purl.org/net/sergiu/ _______________________________________________ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users
