Hi Frank,
The argument for %perm:allow is an arbitrary string, which needs to be interpreted in an additional function with a %perm:check annotation [1]. If you use sessions to remember the permission of your current user, such a function could look as follows
declare %perm:check('/', '{$perm}') function local:check($perm) { if ($perm?allow = Session:get('permission')) then () else web:error(401, 'Not authorized') };
How do you handle users in your web app?
Best, Christian
[1] https://docs.basex.org/wiki/Permissions#Checking_Permissions
On Sat, Jun 12, 2021 at 6:48 PM SW-Service sw-service@gmx.de wrote:
Hello, should perm force authentication and only the user "admin" would be authorised? Best regards Frank
module namespace page = 'http://basex.org/test'; declare %rest:path("basex-rest/test/check-rest-perm") %perm:allow("admin") %rest:GET %output:method("xml") function page:test-check-rest-perm() as element(response) { let $response := element response { 'Response' } return $response };
<response>Response</response>