Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

XWIKI-22798: The code macro is missing a required rights analyzer #3810

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

XWIKI-22798: The code macro is missing a required rights analyzer #3810

wants to merge 1 commit into from

Conversation

michitux
Copy link
Contributor

Jira URL

https://jira.xwiki.org/browse/XWIKI-22798

Changes

Description

  • Add a required rights analyzer for the code macro.
  • Add a test.

Clarifications

  • The bean manager is used to initialize the parameters to make sure that the behavior is exactly as in the actual macro execution.
  • I don't think other sources should require any special rights.

Screenshots & Video

grafik

Executed Tests

LANG=C.UTF-8 mvn clean install -Pdocker,legacy,integration-tests,quality -pl :xwiki-platform-rendering-macro-code

Expected merging strategy

  • Prefers squash: Yes
  • Backport on branches:
    • stable-16.4.x
    • stable-16.10.x
    • stable-17.0.x

@michitux
XWIKI-22798: The code macro is missing a required rights analyzer
75db22d 
* Add a required rights analyzer for the code macro.
* Add a test.
@michitux michitux self-assigned this Jan 20, 2025
@tmortagne
Copy link
Member

tmortagne commented Jan 20, 2025
edited
Loading

Don't you want to also cover context and content source parameter too ? Or maybe you are planning to do that in separate issues already ?

Actually, I'm wondering if we should have something more generic, which is checking all macro parameters descriptors for the type MacroContentSourceReference (instead of having to add a new MacroRequiredRightsAnalyzer for each macro which used this type of parameters). It's true that some macro might decide to ignore script type parameters, but I guess it's unlikely.

@michitux
Copy link
Contributor Author

Actually, I'm wondering if we should have something more generic, which is checking all macro parameters descriptors for the type MacroContentSourceReference (instead of having to add a new MacroRequiredRightsAnalyzer for each macro which used this type of parameters). It's true that some macro might decide to ignore script type parameters, but I guess it's unlikely.

The problem is that the impact of those parameters is quite different depending on the macro. For the code macro, the content of the script doesn't matter. For the context and content macro, it depends, and I think we also need to warn about the rights that the script variable's content requires. However, this is again not true for the context macro if the restricted parameter is true. And for both of them, we also need to analyze wiki content in the string source while this is not necessary for the code macro. Therefore, I'm not so sure how much we would gain with a central analyzer.

@tmortagne
Copy link
Member

tmortagne commented Jan 21, 2025
edited
Loading

My point was more that this macro parameter type is generic enough to be matched as something that makes the macro require script right (if using the script type), no so much as "a generic check is enough to cover all use cases". Maybe that generic check of that parameter type should be in some default macro analyzer which is used only if no specific analyzer was found for the given macro (did no check if we have the concept of default analyzer currently but I vaguely remember something like this) ? I just feel that it's very easy for a new macro to forget to provide an analyzer, and I'm petty sure this will happen all the time.

tmortagne
tmortagne approved these changes Jan 21, 2025
View reviewed changes
Copy link
Member

@tmortagne tmortagne left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In any case, it looks OK for the code macro.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tmortagne tmortagne tmortagne approved these changes

Assignees

@michitux michitux

Labels
backport stable-16.4.x backport stable-16.10.x backport stable-17.0.x
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@michitux @tmortagne