Hi,<div> </div><div>I am using restxq. I started implementing security at the application level, with a prerequisite that the user at least exists in the global context of BaseX. </div><div><br></div><div>So far so good. </div>

<div><br></div><div>Thanks,</div><div><br></div><div>France</div><div><br><div class="gmail_quote">On Mon, Apr 8, 2013 at 3:02 AM, Dirk Kirsten <span dir="ltr">&lt;<a href="mailto:dk@basex.org" target="_blank">dk@basex.org</a>&gt;</span> wrote:<br>

<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hello France,<div><br></div><div>which interface do you use to communicate to BaseX? If you use REST, I don&#39;t think an access control with WRITE but without READ access is possible.</div>

<div>
If you use RestXQ you can have user-level security at the application level. At the start of each function you could have a construct like so:</div><div><br></div><div>if (not(security:logged-in($user))) then web:redirect(&quot;login-failed.html&quot;) else</div>


<div><br></div><div>At the security:logged-in function you would have some kind of logic you determine if this user has access for this page. It seems natural to save $user in a session variable.</div><div>
<br></div><div>Cheers,</div><div>Dirk</div></div><div class="gmail_extra"><br><br><div class="gmail_quote"><div><div class="h5">On Mon, Apr 8, 2013 at 3:17 AM, France Baril <span dir="ltr">&lt;<a href="mailto:france.baril@architextus.com" target="_blank">france.baril@architextus.com</a>&gt;</span> wrote:<br>


</div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div class="h5">Hi, <div><br></div><div>I am trying to secure access to some of our content. </div><div>

<br></div><div>Case:</div><div>
<ol><li>User reads our content and completes the feedback form.</li><li>A file is saved in our &quot;Feedback&quot; database for each form that is submitted.</li>

</ol><div>Security:</div><div><ul><li>Let anonymous users WRITE to the DB using the web form</li><li>Do not allow unauthenticated users to READ comments.</li></ul><div>Solution so far to avoid making user/password known:</div>




</div><div><ol><li>Save feedback in an unsecured DB.</li><li>Redirect to function that moves the feedback file to a secured DB.</li></ol><div>Issue:</div></div><div><ul><li>Security seems to limit access to files when they are addressed as db:open(DB, path).</li>




<li>All functions that grab data, crunch the data and display it in an HTML table seem to remain available to everyone. </li></ul><div>Questions:</div></div><div><ul><li>Instead of securing the DB, we were thinking of securing the functions: Open access to &#39;submit-comment&#39; for all users, require authentication for all other functions.<br>




Is this possible, if so can you point me to useful documentation?</li><li>Do you have any other suggestion?</li></ul></div><span><font color="#888888"><div><div><br></div>-- <br>France Baril<br>Architecte documentaire / Documentation architect<br>


<a href="mailto:france.baril@architextus.com" target="_blank">france.baril@architextus.com</a><br>

<a href="tel:%28514%29%20572-0341" value="+15145720341" target="_blank">(514) 572-0341</a>
</div></font></span></div>
<br></div></div>_______________________________________________<br>
BaseX-Talk mailing list<br>
<a href="mailto:BaseX-Talk@mailman.uni-konstanz.de" target="_blank">BaseX-Talk@mailman.uni-konstanz.de</a><br>
<a href="https://mailman.uni-konstanz.de/mailman/listinfo/basex-talk" target="_blank">https://mailman.uni-konstanz.de/mailman/listinfo/basex-talk</a><br>
<br></blockquote></div><span class="HOEnZb"><font color="#888888"><br><br clear="all"><div><br></div>-- <br><div><span style="color:rgb(34,34,34);font-size:13.333333969116211px;font-family:arial,sans-serif">Dirk Kirsten, BaseX GmbH, </span><a href="http://basex.org/" style="color:rgb(17,85,204);font-size:13.333333969116211px;font-family:arial,sans-serif" target="_blank">http://basex.org</a></div>


<span style="color:rgb(34,34,34);font-size:13.333333969116211px;font-family:arial,sans-serif">|-- Firmensitz: Blarerstrasse 56, 78462 Konstanz</span><br style="color:rgb(34,34,34);font-size:13.333333969116211px;font-family:arial,sans-serif">


<span style="color:rgb(34,34,34);font-size:13.333333969116211px;font-family:arial,sans-serif">|-- Registergericht Freiburg, HRB: 708285, Geschäftsführer:</span><br style="color:rgb(34,34,34);font-size:13.333333969116211px;font-family:arial,sans-serif">


<span style="color:rgb(34,34,34);font-size:13.333333969116211px;font-family:arial,sans-serif">|   Dr. Christian Grün, Alexander Holupirek, Michael Seiferle</span><br style="color:rgb(34,34,34);font-size:13.333333969116211px;font-family:arial,sans-serif">


<span style="color:rgb(34,34,34);font-size:13.333333969116211px;font-family:arial,sans-serif">`-- Phone: 0049 7531 28 28 676, Fax: 0049 7531 20 05 22</span>
</font></span></div>
</blockquote></div><br><br clear="all"><div><br></div>-- <br>France Baril<br>Architecte documentaire / Documentation architect<br><a href="mailto:france.baril@architextus.com">france.baril@architextus.com</a><br>(514) 572-0341
</div>