Thanks! I thought I had tried that before, but I must have mixed that test with other things before. Now it worked indeed in a small hello world test I just did. I'll have to see if I also manage to get it working in templates and on automatically generated documents. But you've surely sent me in the right direction!
Cheers, Olaf >________________________________ >Von: Edo Beutler <ebeut...@synventis.com> >An: O Voss <richyfourtyth...@yahoo.com>; XWiki Users <users@xwiki.org> >Gesendet: 14:01 Montag, 12.September 2011 >Betreff: Re: [xwiki-users] polls and rights > >Hi, > >Unfortunately I never used the polls application, so I don't know what >it does / how it works. However I hope I can point you in the right >direction. > >If a document is editable by XWikiGuest (anyone) .... anyone can >change it, so yes, manipulation would be possible. I think what you >are looking for are 'programming' rights. The script saving the vote >needs to be saved from a user with programming rights. The document to >which you attach the poll votes can than be saved using the method >saveWithProgrammingRights() on the Document API. This allows you to >let XWikiGuest users attach objects to a document they are not allowed >to edit. > >Hope this helps >Edo > >On Sat, Sep 10, 2011 at 12:55 PM, O Voss <richyfourtyth...@yahoo.com> wrote: >> Hi, >> >> I'm planning to do the following: >> >> Each document based on a certain template autmatically gets it's own >> standard poll. (No customisation.) Each user visiting the page can vote. >> >> Having looked at the polls application and played around with templates a >> bit, I think I know all the ingredients I will need. >> >> I have one problem though: Anyone who votes needs write permissions on the >> document that saves the votes (whereever that may be). If I'm not mistaken >> that means anyone who can vote theoretically can manipulate voting data by >> accessing these objects directly. >> >> Is there any way to secure this against manipulation >> >> a) from users who can vote? >> b) from the user who created the page? >> >> Probably that question is equivalent to: Is there a way to let users save >> changes on an object only via a script while hindering that very same user >> from editing it directly? >> >> Any hints are greatly appreciated! >> _______________________________________________ >> users mailing list >> users@xwiki.org >> http://lists.xwiki.org/mailman/listinfo/users >> > > > _______________________________________________ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users
