This server will be upgraded at 3pm Sydney time on December 3rd (December 2nd, 8pm PST) and will be down for up to 30 minutes.

Custom News

Added by Dan Hardiker, last edited by Jonathan Nolen on Jun 19, 2008  (view change)
Name Custom News Plugin
Vendor Adaptavist.com Ltd (Website)
Authors Dan Hardiker
Homepage http://confluence.atlassian.com/display/CODEGEIST/Custom+News+Plugin
Issue Management n/a
Continuous Integration n/a
Categories Content Macros
Most Recent Version 1.0
Availability Confluence v2.3-dr1 to v2.10
State Stable
Support Unsupported Plugins
License Freeware / Open Source (BSD)
Price Donate
Release Docs http://confluence.atlassian.com/display/CODEGEIST/Custom+News+Plugin
Java API Docs n/a
Download Source http://svn.atlassian.com/svn/public/contrib/confluence/custom-news-plugin/tags/1.0/
Download JAR custom-news-plugin-1.0.jar

Description/Features

Security Risk

The body of this macro renders velocity markup which, as the comments explain, can be exploited to get deeper access to the system. This is possible anywhere that you can place velocity and should not be offered to untrusted users.

In an enclosed environment (such as a website) where you want explicit template control, then this is likely to be for you.

An alternative to Confluence's blog posts macro to aid with customisation.

It provides a flexible news output using VTL in the macro body. A great alternative to the blog posts macro if you need to customise the output to make it better fit your design, e.g. in a blog.

Example Usage

  1. Install via the plugin repository, or manually.
  2. Use the following on a page: 
    {custom-news}
## Setup our search
#set($newsFinder = $helper.customNewsFinder)

## Just the most recent 3 news items
#set($newsFinder.maxResults = 3)

## Group by year, then month. Order reverse chrono comes in at this point.
$newsFinder.groupBy("year,month")

## Get specified news
#set($stories = $newsFinder.getResults($renderContext))

## Don't bother if there's nothing there
#if ($stories.items.size() > 0)
  <ol>
    #foreach ($story in $stories.items)
      <li><a href="$req.contextPath$generalUtil.getPageUrl($story.item)">$story.item.title</a></li>
    #end
  </ol>
#end
{custom-news}

Velocity Context

The following objects are available for use within the velocity context.

Name Object Type
$helper com.adaptavist.customNews.CustomNewsHelper
$helper.newsFinder com.adaptavist.customNews.CustomNewsFinder

The rest should be self explanatory for anyone using this that is reasonably familiar with velocity rendering in Confluence.

Version History

Version Date State License Price
Show description 1.0 (#2) 29 Mar 2008 Stable Freeware / Open Source (BSD) Donate

Release Notes

The initial release

Contributors

Screenshots

Screenshots
There are no images attached to this page.

Other Adaptavist Entries

Synonym Plugin — A search extractor for Confluence to inject synonyms for acronyms, words or phrases into the index to aid with searching
Ranking Macro — Yet another macro for voting/rating/ranking pages, this one is uniquely different to the others by providing a macro for ranking pages with a 'was this page useful' style approach, tracking only positive answers
Insert Picture Plugin — A in-place image management widget for Confluence to help with image attachment manipulation
Custom News — An alternative to Confluence's blog posts macro to aid with customisation
User Security Management Plugin — An enhancement for the Confluence user management system, to prompt better security practices - including email verification and admin vetting of signups
Plugin Message Client — A library which when included as an extracted dependancy will allow java communication between the classloaders of the installed plugins
Attachment Download Plugin — Adds a servlet so you can download attachments from a page without needing to know the ID.
Statistical Analysis Plugin — Confluence has lacked a cluster-ready, enterprise scaleable, remotely accessible statistically gathering and analysis plugin ... not any more!

Labels

codegeist_2008_vendor_adaptavist codegeist_2008_vendor_adaptavist Delete
codegeist_2008_confluence codegeist_2008_confluence Delete
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.

Comments (10)

 

  1. Mar 29, 2008

    David Peterson [CustomWare] says:

    You're really letting regular users put velocity markup into a page? Surely ther...

    You're really letting regular users put velocity markup into a page? Surely there are some significant security issues with that...

    1. Mar 29, 2008

      Dan Hardiker says:

      No more than Scriptix, which I'd say is actually far worse from a security stand...

      No more than Scriptix, which I'd say is actually far worse from a security standpoint. It's no worse than a space admin editing the page layouts. It's no worse than an admin adding a user macro (this really just provides an extra helper).

      If you don't trust your users you shouldn't be using this macro, however if you want to style up your site so that it looks more like a blog and you are in the scenario of being able to trust people who are adding content (which may be controlled) – then ya, I'd really let users put velocity markup into a page.

      Is there anything on the default velocity context that you particularly object to being available / being readily abuseable (it could be removed very simply)?

      1. Mar 29, 2008

        David Peterson [CustomWare] says:

        It's not the default velocity context, it's that you can get access to pretty mu...

        It's not the default velocity context, it's that you can get access to pretty much everything by using the $anyObject.class.getClass("pick.a.secure.ClassName") trick. It doesn't matter how you strict the context - any object lays the whole server open.

        And user macros are more secure - only admins can add them. If you don't trust your admins, you're in really big trouble.

        I don't have a problem with the plugin in general - as you say, it would be useful in a controlled environment, but I do think it would be worth putting a security warning on the main page.

        1. Apr 25, 2008

          Bob Swift says:

          Security warning would be good. I would just add Macro Security Plugin to restr...

          Security warning would be good. I would just add Macro Security Plugin to restrict access to trusted users.

        2. Apr 26, 2008

          Dan Hardiker says:

          Agreed, security warning added.

          Agreed, security warning added.

  2. Apr 15, 2008

    Jens Schumacher says:

    I've been wanting a decent blog post layout for a while now. But instead of usin...

    I've been wanting a decent blog post layout for a while now. But instead of using a macro to create the blog post view I probably would have written a theme that customises the news in Confluence.

    That will give you greater flexibility and even lets you bundle macros with your theme to display flickr photos or declicious feeds.

    1. Apr 15, 2008

      David Peterson [CustomWare] says:

      I think this is more of a replacement for the standard {blog-posts} macro than a...

      I think this is more of a replacement for the standard {blog-posts} macro than anything else. I'm not sure how making this a theme modification for news helps...

      In general, I find that theme modifications are actually quite restrictive. If you want one particular part of a them (eg the news layout) you are stuck with the whole theme, not just the bit you want. If I like the 'conflikr' theme, for example, but want to use some cusomised macros which change the news layout, I'm stuck unless I create my own custom theme which copy-n-pastes the bits I want into one Frankenstein monster. Then any future updates will have to be grafted in also.

      What would be great is if you could select decorators individually - grab my news decorator from one them, my page decorator from another. But that's a core Confluence change...

      1. Apr 30, 2008

        Dan Hardiker says:

        This plugin has been used fairly regularly over the past year for places where w...

        This plugin has been used fairly regularly over the past year for places where we've used Builder to create a design and they've wanted a custom formatted output of the news (e.g. showing a logo along with the press releases, or customising the date outputted to just month + year).

        It's more about being able to change the HTML outputted and then using Builder/the macro to style that up how you want.

  3. Apr 15, 2008

    David Peterson [CustomWare] says:

    FYI, you can do this with the Reporting Plugin, something like this: {report-b...

    FYI, you can do this with the Reporting Plugin, something like this:

    {report-block:maxResults=3|injected=true}
{content-reporter:type=news}
  {date-sort:creation date|order=descending}
{content-reporter}

{repeat-filter:creation date > yyyy}
{report-body}h2. %creation date > yyyy%{report-body}

{repeat-filter:creation date > MM yyyy}
{report-body}h3. %creation date > MMMM yyyy%{report-body}

{report-body}* _%creation date > d MMMM "@" hh:mm a%_ {report-info:title|link=true}{report-body}

{report-block}

    This will output the 'h2' report-body once per year, the 'h3' report-body once per month, and the individual item as they appear. Years and months which do not have an entry will not be output.

    As I said, just an FYI...

  4. Sep 16

    Informatiediensten says:

    Hi there, This custom news is a good replecement for the blog post that we hav...

    Hi there,

    This custom news is a good replecement for the blog post that we have been using!

    However I am not that familiar with the use of velocity markup. I am using the example that is given above in our wiki.

    I was wondering if someone can give me an idea how to not only display the titles but also the (creation)date.

    Thanks a lot! Rebecca