Hi Matthew,

Thanks for providing me access to your fork. I’ve done some quick tests, and I noticed the following:

• The Database panel should only list those databases that a particular user has access to.

• It must not be allowed to run queries like admin:logs() unless you have 'admin' permissions. More generally, the permissions used for running queries must not be more powerful than those of the current user.

• The Jobs panel must be limited to Admin users; at least that’s how our current permission model is designed (the current solution could possibly be enhanced, such that users with fewer permissions could see their own jobs).

You can either try the BaseX client to find out what users with fewer permissions are allowed to do, or you can look into the code [1].

Hope this helps; feel free to ask for more details,

Christian

[1] https://github.com/BaseXdb/basex/blob/main/basex-core/src/main/java/org/basex/query/func/Function.java

On Mon, Aug 21, 2023 at 7:34 PM Matthew Dziuban <mrdziuban@gmail.com> wrote:

Hi all,

While the subject might sound contradictory, I'm curious what you think about opening up the DBA code to allow non-admin users to access it and perform actions for which they have permissions?

I currently maintain and run a fork of the DBA web app at work to make this possible, but I'd love to have the behavior built into BaseX if possible. You can view the changes I've made against BaseX 10.7 here: https://github.com/mblink/basex-webapp/compare/upstream-webapp...webapp-10.7

If you're open to this, I'd be happy to open a pull request with my changes!

Thanks,
Matt