On 02/01/2012 06:37 AM, Edo Beutler wrote:
Hi Mohit
As you cited from the doc with programming rights you are allowed to
"execute arbitrary java", but not modify it during runtime.
An example for the use of programming rights would be if you create a
page where an XWikiGuest user can save something without having edit
rights on the page by using $doc.saveWithProgrammingRights(). In this
example the script calling this method would need to be saved from a
user with programming rights.
Generally spoken, without programming rights you are only allowed to
use Api classes and the mayor part of their methods. With programming
rights you are allowed to use all methods of Api classes or even to
get "background classes" (e.g. XWikiDocument instead of only the api
class Document).
Going further, without Programming Rights, scripts are limited to a
strict set of APIs. It's practically "sandboxed" to a safe set of
objects and methods that offer a limited functionality, respecting
access rights.
With Programming Rights you can execute a broader range of methods and
you gain access to internal objects. From Velocity scripts you are still
limited to a slightly larger number of objects, but you can access any
data in the wiki without being restricted by access rights.
But with Programming Rights you gain access to other scripting
languages, not just Velocity, such as Groovy or Python, which allow
access to any Java class/object/method, which lets you do stuff like
System.exit(), connect to other databases, access the filesystem,
execute other programs on the server.
In Groovy you can write new classes, but you can't (easily) override
existing classes.
If you want to change existing Java code, you should compile your own
.jar starting from the sources, modify them according to your needs, and
then replacing the original jar with your modified version.
Still, it's usually a bad practice to change existing classes. Most of
the services offered by the platform can be changed to other
implementations. For example, you shouldn't change XWikiAuthServiceImpl
directly, but create a new class that inherits it, implement checkAuth
(or any other method you want to override) as you want, compile it into
a jar, then all you have to do is edit xwiki.cfg and set the name of
your class in:
xwiki.authentication.authclass=com.your.company.MyCustomAuthService
On Wed, Feb 1, 2012 at 12:12 PM, mohit gupta<motgu...@gmail.com> wrote:
Below is the statement given at
http://platform.xwiki.org/xwiki/bin/view/AdminGuide/Access+Rights
A programmer is allowed to execute arbitrary java code in the wiki and
can thus gain control of the system user which the wiki is
running under.
Could you give me some example how xwiki admin can modify existing
java class. when it will be compile and deployed?
Assume i want to add a new method in XWikiAuthServiceImpl.java . How
should i go with this provided i am having programming
rights.Thanks.
--
Sergiu Dumitriu
http://purl.org/net/sergiu/
_______________________________________________
users mailing list
users@xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
