Hi all, In 7.3, I am using db:add (through a XQJ XQPreparedExpression) to add documents to a database. For a BaseX user to do that, I need to grant that database user the GLOBAL write permissions. With just LOCAL write permissions, I get: javax.xml.xquery.XQQueryException: [BASX0001]: WRITE permission required. Is this the expected behaviour? This is troublesome, as the GLOBAL write permission also gives that user read and write permissions on ALL other databases, unless these permissions are explicitly revoked. So, as a workaround, I can grant all user GLOBAL write permissions, and then explicitly deny all users LOCAL permissions to all existing databases that are not theirs. (Reading is not a problem with just local permissions. And as an aside: using "-i" on the command line even seems to require global CREATE permissions. But I don't really use that.) Any thoughts? Details below. Arjan. # 1. Create database and a user, with password "secret": ./basexclient -U admin -P admin
create db db1 Database 'db1' created in 11.05 ms.
create user user1 5ebe2294ecd0e0f08eab7690d2a6ee69 User 'user1' created.
grant write on db1 to user1 WRITE granted to 'user1' on 'db1'.
show users on db1 Username Read Write
user1 X X 1 Users. # 2. Let's this user access their own database. # Odd, using the command line "-i" even needs CREATE permissions? ./basexclient -U user1 -P secret -i db1 CREATE permission needed. # 3. Let's ignore that for now; using "open" works just fine: ./basexclient -U user1 -P secret
open db1 Database 'db1' was opened in 0.91 ms.
xquery db:add("db1", "<test><a>created by user1</a></test>", "test-doc-1") Stopped at line 1, column 67: [BASX0001] WRITE permission required.
# 4. Okay, let's give the user the GLOBAL write permissions ./basexclient -U admin -P admin
grant write to user1 WRITE granted to 'user1'. show users Username Read Write Create Admin
admin X X X X user1 X X 2 Users. # 5. All fine for user1 now: ./basexclient -U user1 -P secret
xquery db:add("db1", "<test><a>created by user1</a></test>", "test-doc-1") Query executed in 6.18 ms.
# 6. Let's create another user, with their own database, and the GLOBAL write as well: ./basexclient -U admin -P admin
create db db2 Database 'db2' created in 5.09 ms.
create user user2 5ebe2294ecd0e0f08eab7690d2a6ee69 User 'user2' created.
grant write to user2 WRITE granted to 'user2'.
grant write on db2 to user2 WRITE granted to 'user2' on 'db2'.
show users Username Read Write Create Admin
admin X X X X user1 X X user2 X X 3 Users.
show users on db1 Username Read Write
user1 X X 1 Users.
show users on db2 Username Read Write
user2 X X 1 Users. # 7. And prove that user2 can now access db1, due to the global WRITE permissions:
open db1 Database 'db1' was opened in 1.9 ms.
xquery db:add("db1", "<test><a>created by user2 in db1</a></test>", "test-doc-2") Query executed in 1.27 ms.
xquery / <test> <a>created by user1</a> </test><test> <a>created by user2 in db1</a> </test> Query executed in 0.72 ms.
# 8. That's bad. Let's explicitly revoke permissions from user2:
grant none on db1 to user2 NONE granted to 'user2' on 'db1'.
show users on db1 Username Read Write
user1 X X user2 2 Users. # 9. And have that user try again: ./basexclient -U user2 -P secret
open db1 READ permission needed.
xquery db:add("db1", "<test><a>created by user2 in db1</a></test>", "test-doc-3") Stopped at line 1, column 74: [BXDB0002] READ permission needed.
# That's more like it. But: what when I forget that one day...? http://docs.basex.org/wiki/User_Management http://docs.basex.org/wiki/Database_Module#Updates