Hi all,
In 7.3, I am using db:add (through a XQJ XQPreparedExpression) to add documents to a database. For a BaseX user to do that, I need to grant that database user the GLOBAL write permissions. With just LOCAL write permissions, I get:
javax.xml.xquery.XQQueryException: [BASX0001]: WRITE permission required.
Is this the expected behaviour?
This is troublesome, as the GLOBAL write permission also gives that user read and write permissions on ALL other databases, unless these permissions are explicitly revoked. So, as a workaround, I can grant all user GLOBAL write permissions, and then explicitly deny all users LOCAL permissions to all existing databases that are not theirs.
(Reading is not a problem with just local permissions. And as an aside: using "-i" on the command line even seems to require global CREATE permissions. But I don't really use that.)
Any thoughts?
Details below. Arjan.
# 1. Create database and a user, with password "secret":
./basexclient -U admin -P admin
create db db1
Database 'db1' created in 11.05 ms.
create user user1 5ebe2294ecd0e0f08eab7690d2a6ee69
User 'user1' created.
grant write on db1 to user1
WRITE granted to 'user1' on 'db1'.
show users on db1
Username Read Write --------------------- user1 X X
1 Users.
# 2. Let's this user access their own database. # Odd, using the command line "-i" even needs CREATE permissions?
./basexclient -U user1 -P secret -i db1 CREATE permission needed.
# 3. Let's ignore that for now; using "open" works just fine:
./basexclient -U user1 -P secret
open db1
Database 'db1' was opened in 0.91 ms.
xquery db:add("db1", "<test><a>created by user1</a></test>", "test-doc-1")
Stopped at line 1, column 67: [BASX0001] WRITE permission required.
# 4. Okay, let's give the user the GLOBAL write permissions
./basexclient -U admin -P admin
grant write to user1
WRITE granted to 'user1'.
show users
Username Read Write Create Admin ------------------------------------- admin X X X X user1 X X
2 Users.
# 5. All fine for user1 now:
./basexclient -U user1 -P secret
xquery db:add("db1", "<test><a>created by user1</a></test>", "test-doc-1")
Query executed in 6.18 ms.
# 6. Let's create another user, with their own database, and the GLOBAL write as well:
./basexclient -U admin -P admin
create db db2
Database 'db2' created in 5.09 ms.
create user user2 5ebe2294ecd0e0f08eab7690d2a6ee69
User 'user2' created.
grant write to user2
WRITE granted to 'user2'.
grant write on db2 to user2
WRITE granted to 'user2' on 'db2'.
show users
Username Read Write Create Admin ------------------------------------- admin X X X X user1 X X user2 X X
3 Users.
show users on db1
Username Read Write --------------------- user1 X X
1 Users.
show users on db2
Username Read Write --------------------- user2 X X
1 Users.
# 7. And prove that user2 can now access db1, due to the global WRITE permissions:
open db1
Database 'db1' was opened in 1.9 ms.
xquery db:add("db1", "<test><a>created by user2 in db1</a></test>", "test-doc-2")
Query executed in 1.27 ms.
xquery /
<test> <a>created by user1</a> </test><test> <a>created by user2 in db1</a> </test> Query executed in 0.72 ms.
# 8. That's bad. Let's explicitly revoke permissions from user2:
grant none on db1 to user2
NONE granted to 'user2' on 'db1'.
show users on db1
Username Read Write --------------------- user1 X X user2
2 Users.
# 9. And have that user try again:
./basexclient -U user2 -P secret
open db1
READ permission needed.
xquery db:add("db1", "<test><a>created by user2 in db1</a></test>", "test-doc-3")
Stopped at line 1, column 74: [BXDB0002] READ permission needed.
# That's more like it. But: what when I forget that one day...?
http://docs.basex.org/wiki/User_Management http://docs.basex.org/wiki/Database_Module#Updates