Editing pages with Velocity Macro

Help / Discuss
#1

Hi,

we have some pages where we want to integrate content from other APIs i.e. REST-Calls.
If have found a Velocity API call which fits:

{{velocity}}$xwiki.getURLContent('https://remote_api_call'){{/velocity}}

It works if somebody from the XWikiAdminGroup creates the page and edits it.
The page also renders correct for normal users.

But if a normal user (with a group with scripting rights) wants to edit the page a warning dialogue appears:
image
After editing all macros are gone…

The documentation states (https://www.xwiki.org/xwiki/bin/view/Documentation/DevGuide/Scripting/)

…In addition, all scripting languages other than Velocity also require Programming Rights (see below for more details).

Do I understand something wrong?

Any ideas?

Best Regards

SH

btw. moved to help/discuss

#2

I agree that the warning could be formulated better, what it should say is that a Velocity macro requires script right, but the used APIs could require programming right. The warning is quite correct here: $xwiki.getURLContent indeed requires programming right which is why it doesn’t work when the last author doesn’t have programming right.

Are you sure they’re gone and the code just isn’t executed anymore because the API requires programming right?

#3

Thank you for the clarification!

Your are absolutly right, in the source code the macro is still there, but it is not executed.

Is there any other solution beyond $xwiki.getURLContent, to do an editable external content integration without a programming right for normal xwiki users?

We are migrating from confluence and there is a html include, which can be done from any user.

Best regards

SH

#4

Including external content is always not so easy from a security perspective. What should work with script right is to use an iframe in an HTML macro to display the content. Regarding security of iframes, see this discussion for a start.

You could also create a wiki macro to wrap this code. Then only the wiki macro itself needs programming rights. However, at least with the code you’ve shown, this creates a huge security vulnerability in your XWiki installation as it would allow any user to execute any code with programming right as the downloaded content will be executed with programming right. What you could do is using the context macro to restrict the external code, like

{{velocity}}
#set($remoteContent = $xwiki.getURLContent('https://remote_api_call'))
{{context restricted="true" source="script:remoteContent" /}}
{{/velocity}}

This code could be wrapped in a wiki macro that takes the URL as a parameter. However, note that this would still be a server side request forgery vulnerability. Depending on your setup this could be acceptable.

#5

Hi,

your solution with an outsourced macro worked for me, thank you!
Now users with programming rights and normal users can edit the pages and it is always rendered.

The iFrame solution is not so nice, because there are always scrollbars and a frame around it and the sizing works only with pixel and percentage. If one just wants to fetch a small text part, it is oversized.
It is not so good to control…
https://extensions.xwiki.org/xwiki/bin/view/Extension/Iframe%20Macro#HExample

image

Thanks for the security hint, for my installation with a small private wiki with a few users it should be OK.

Best regards

SH