Hi Chris,
Sorry for letting you wait. These are the current conditions:
With REST, the permission of each command of a script is currently checked immediately before its execution. If a single command does not have enough permissions, the execution of the command, and all subsequent commands, will be canceled.
If the BaseX client is used, permissions are checked before the supplied script is accessed. As a script may contain admin commands, ADMIN permissions are required for any script.
The status quo is inconsistent indeed. The most flexible approach would be to first check all commands and queries before eventually executing them. As this requires full parsing of XQuery expressions, this would require some basic changes in the permission check architecture.
The simpler solution would be to restrict REST scripts to ADMIN permissions, but I guess that this would break running application… Including yours?
Best, Christian