roller-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dave Johnson (JIRA)" <j...@apache.org>
Subject [jira] [Closed] (ROL-342) The trustUsers configuration parameter
Date Sun, 20 Jan 2013 14:00:14 GMT

     [ https://issues.apache.org/jira/browse/ROL-342?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Dave Johnson closed ROL-342.
----------------------------

    
> The trustUsers configuration parameter
> --------------------------------------
>
>                 Key: ROL-342
>                 URL: https://issues.apache.org/jira/browse/ROL-342
>             Project: Roller
>          Issue Type: Improvement
>          Components: Configuration & Settings
>            Reporter: David Johnson
>            Assignee: Dave Johnson
>
> Roller does not place the same things in the Velocity context as the stock Velocity Servlet
does because, if we did, users could potentially hack into each other's accounts.   For example,
we don't put the ServletRequest into the context  because users could call request.getSession()
and get access to the global Roller object. 
> There are two ways we can accomodate your need for cookies and I think both should  be
done:
> 1) add getCookie() and setCookie() methods to the pageModel object  so that untrusted
users in a multi-user Roller system can access cookies.
> 2) add a new Roller configuration parameter, a boolean, called "trustUsers".  If you
are setting up a Roller install for a single user or for a small group of users who you trust,
you'd set this to true. If this parameter is true, then Roller will put the normal Velocity
objects into context ($request, $response, $cookie, etc.).   Otherwise, Roller will behave
as it does now.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message