[#SCAFF-196] Provide macros the ability to determine if their rendering is part of a live-template

Confluence Extension: Scaffolding Plugin

Provide macros the ability to determine if their rendering is part of a live-template

Created: 13/Feb/08 03:27 AM Updated: 16/Jun/09 10:55 AM

Component/s:

{live-template}

Affects Version/s:

None

Fix Version/s:

2.7-dr9

Time Tracking:

Not Specified

Description

« Hide

The use case is:

Admin or space admin puts a security restricted macro (like sql macro for instance) is part of a live template.
User of live-template cannot render the restricted macro on the page using the live-template unless the page has an appropriate edit page restriction
User is unlikely to have the right permission to run an arbitrary instance of the macro
Admin should be able to allow the macro to be executed anyway, since the admin is in control of the content and usage of the macro

Once this change is made, the corresponding change will need to be made to the macro security code to recognize this circumstance and act appropriately.

All

Comments

Work Log

Change History

Sort Order:

[ Permalink | « Hide ]

Bob Swift added a comment - 13/Feb/08 03:29 AM

Here is an excerpt of the dialog we had on the topic:
(8:55:16 PM) David Peterson: "net.customware.confluence.scaffolding.live-template" will be either null or a Stack containing a string, either "space" or "global".
(8:55:22 PM) David Peterson: Yes.
(8:56:00 PM) David Peterson: Containing one or more strings, rather.
(8:56:20 PM) David Peterson: The top item on the stack will be the most recent template type to be executed.
(8:56:36 PM) Bob@home: ok, get the stack and check if not null, then check (perhaps) that they are all global if only global are allowed
(8:56:57 PM) David Peterson: Right
(8:57:08 PM) David Peterson: Although you may only want to check that the top-level one is global.
(8:57:12 PM) David Peterson: Depends on your paranoia.
(8:57:18 PM) Bob@home: hmm... in fact would just have to check the last one on stack
(8:57:21 PM) David Peterson: Yes
(8:57:24 PM) Bob@home: ok, agree
(8:57:30 PM) David Peterson: The only reason it's a stack is for technical reasons

(8:58:22 PM) Bob@home: I think that would work fine.

[ Permalink | « Hide ]

David Peterson added a comment - 01/Mar/08 12:40 PM

To confirm, checking if the current code is being executed by a live-template macro, check if the following value is not null:

HttpServletRequest.getAttribute( "net.customware.confluence.scaffold.live-template" )

It will be a Stack of words which are either "space" or "global" depending on the type of template being executed. Generally, security macros will only be interested in the top entry.

[ Permalink | « Hide ]

Bob Swift added a comment - 20/Mar/08 02:16 PM

I guess I don't have authority to close this item - so here is an update. Things seem to be working fine

. I am supporting both global and space templates. We are running dr9 in our production environment with the corresponding macro security change (beta). Will take it out of beta and release it soon based on our testing. Thanks for doing this so quickly.

[ Permalink | « Hide ]

brian thomas added a comment - 15/Jun/09 04:56 PM

Given that User Macros are only editable by administrators, I'd like very much to see the restrictions relaxed for calls within User Macros as well.

[ Permalink | « Hide ]

David Peterson added a comment - 16/Jun/09 07:45 AM

I think that would have to be something that Bob would implement...

[ Permalink | « Hide ]

Bob Swift added a comment - 16/Jun/09 10:55 AM

Agree. I would like it as well. I have thought about this, but so far have not come up with a good solution. David was able to add the enabler to scaffold (this issue), but we don't really have control over user macro running unless Atlassian gets involved. Please create an issue for Macro security and we can see what we can do from there.