I'm contemplating the construction of an interface for advanced or dedicated users of a database, with a text box in which they type their queries as XQuery modules. (Non-advanced and non-dedicated users will make do with a variety of pre-defined queries; this interface is intended to provide an open-ended query interface for the few users who will need it.)
If possible, xquery:eval() should be avoided for such operations (we may eventually rename it to evil()). The solution which you find on our homepage [1] is based on our REST interface, and a user whose permissions are restricted to reading the example databases. This way, queries like "file:list('.')" will be rejected. The query timeout (which doesn’t apply to admin queries [2]) has been set to 10 seconds. There is currently no way to restrict memory resources in this demo, because the query will run in the same virtual machine as the server instance. One solution could be to start a new BaseX (server) instance with limited memory (-Xmx).
Feedback from other users is welcome. Christian
[1] http://basex.org/products/live-demo/ [2] http://docs.basex.org/wiki/Options#TIMEOUT