Details
-
New Feature
-
Resolution: Fixed
-
Major
-
1.26
-
None
Description
Problem:
In order for an application to have a configuration page or to modify a configuration page, modifications must be made to the code in AdminSheet so applications with configuration can't be made modular and third party applications must be configured some other way.
Solution:
A class called XWiki.Configurable and code which brings in any document which has an object of that class. An application need only add an object of this class and can then expect it's configuration will show on tha administration application.
Issues:
Security - Not just anyone should be able to have their page included in the administration application, only people who have edit rights on the administration page itself.
Security - The code should never run with programming access if it evaluates any potentaially untrustworthy code.
Upgradabulity - Moving configuration away from XWiki.XWikiPreferences will make upgrading more difficult because users won't have one place to save before upgrading. In my opinion the right solution is for the applications to upgrade themselves given that the import mechanism now supports adding a version.
More information and screenshots: http://incubator.myxwiki.org/xwiki/bin/view/Admin/ApplicationConfig
Email thread: http://xwiki.markmail.org/message/ql5hzfiuovy6jhin
Attachments
Issue Links
- causes
-
XWIKI-21122 Remote code execution/programming rights through document reference with configuration section from edit right
-
- Closed
-