Hi Marc,
The invocation of xquery:eval requires admin privilegues; but if you are an admin user, you can decide under which permissions this query will be executed.
If you want to evaluate an XPath expression with a limited user and the REST API, it should be sufficient to supply this path as query:
http://localhost/rest/db?query=/path
You can also address and run a server-side query:
http://localhost/rest/db?run=xpath.xq
If you need to further process the results of a dynamic XPath query, you’ll probably need to switch to RESTXQ.
Your use case is inspiring, though: Maybe we could make xquery:eval more flexible and run it with the permissions of the current client. A client may then be allowed to further restrict the permission scope: If a client has 'read' permissions, (s)he could further restrict the permissions to 'none' (but not extend it to e.g. 'write').
I’ll have some more thought on that, as we currently don’t have any functions that have dynamic permissions at runtime.
Best, Christian