request extra profile option to formattedtext HTML filter
Description
Attachments
depends on
Activity
Sam Ottenhoff April 8, 2013 at 11:02 AM
Kernel: 1.3.x r122360
Profile2: 1.5.x r122361
Hudson CI Server March 29, 2013 at 12:20 PM
Integrated in kernel-trunk #629 (See http://builds.sakaiproject.org:8080/job/kernel-trunk/629/)
fixed bug where DEFAULT would always end up as high (Revision 121963)
Result = SUCCESS
Aaron Zeckoski March 29, 2013 at 11:27 AM
And speaking of that, I found a bug where DEFAULT would always be treated as HIGH, it is fixed now though.
Aaron Zeckoski March 29, 2013 at 9:17 AM
"Thus I think we need 4 arguments: high, low, none, and default."
Good idea... I wish I thought of... of wait.... already in there.
From the patch:
+ /**
+ * Level of security to use while doing the scan of html content
+ */
+ public enum Level {
+ /**
+ * Use the configured system default (typically HIGH but may have been configured to LOW),
+ * this should be used in most cases and will be used if the level was set to null
+ */
+ DEFAULT,
+ /**
+ * Use for untrusted users (e.g. students)
+ */
+ HIGH,
+ /**
+ * Use for trusted users (e.g. teachers)
+ */
+ LOW,
+ /**
+ * Use for admins and special cases only (e.g. super admin)
+ */
+ NONE
+ }
Hudson CI Server March 29, 2013 at 8:53 AM
Integrated in kernel-trunk #627 (See http://builds.sakaiproject.org:8080/job/kernel-trunk/627/)
Added extra security level option to formattedtext HTML filter (allows selecting HIGH,LOW,NONE when scanning content) (Revision 121948)
Result = SUCCESS
In KNL-1015, I suggest extending formattedtext to have a new argument, profile. This should be a text string, which would cause antisamy to be called with that profile. I'm open to how to interpret it. Probably there should be predefined profile names that would then by mapped to an XML file that the site could change.
Intended use: Lessons currently distinguishes content supplied by instructors and students. Instructors should be able to prepare content fairly freely. However students shouldn't have to trust other students to be smart about security. Instructors can author primary content pages. Students can author comments, but there are also student content pages that look much like instructor content page. Other students can then comment on them (and shortly, use rubrics to assess them).
Currently student content always passes through the formattedtext filter. Whether instructor content does or not depends upon a setting in sakai.properties, which can be overridden for an individual instance on the tool by an administrator.
I would prefer to have the option of doing some checking for instructors, but allow more types of content.
I make this request without understanding anti-samy. But discussions have suggested that a default might prohibit embed and object. Many sites would probably like instructors to be able to use that (although Lessons has the ability to do its own embedded objects). However if there are significant security issues they might prefer for students not to be able to do that.