Hi,
I am trying to secure access to some of our content.
Case:
1. User reads our content and completes the feedback form. 2. A file is saved in our "Feedback" database for each form that is submitted.
Security:
- Let anonymous users WRITE to the DB using the web form - Do not allow unauthenticated users to READ comments.
Solution so far to avoid making user/password known:
1. Save feedback in an unsecured DB. 2. Redirect to function that moves the feedback file to a secured DB.
Issue:
- Security seems to limit access to files when they are addressed as db:open(DB, path). - All functions that grab data, crunch the data and display it in an HTML table seem to remain available to everyone.
Questions:
- Instead of securing the DB, we were thinking of securing the functions: Open access to 'submit-comment' for all users, require authentication for all other functions. Is this possible, if so can you point me to useful documentation? - Do you have any other suggestion?
Hello France,
which interface do you use to communicate to BaseX? If you use REST, I don't think an access control with WRITE but without READ access is possible. If you use RestXQ you can have user-level security at the application level. At the start of each function you could have a construct like so:
if (not(security:logged-in($user))) then web:redirect("login-failed.html") else
At the security:logged-in function you would have some kind of logic you determine if this user has access for this page. It seems natural to save $user in a session variable.
Cheers, Dirk
On Mon, Apr 8, 2013 at 3:17 AM, France Baril france.baril@architextus.comwrote:
Hi,
I am trying to secure access to some of our content.
Case:
- User reads our content and completes the feedback form.
- A file is saved in our "Feedback" database for each form that is
submitted.
Security:
- Let anonymous users WRITE to the DB using the web form
- Do not allow unauthenticated users to READ comments.
Solution so far to avoid making user/password known:
- Save feedback in an unsecured DB.
- Redirect to function that moves the feedback file to a secured DB.
Issue:
- Security seems to limit access to files when they are addressed as
db:open(DB, path).
- All functions that grab data, crunch the data and display it in an
HTML table seem to remain available to everyone.
Questions:
- Instead of securing the DB, we were thinking of securing the
functions: Open access to 'submit-comment' for all users, require authentication for all other functions. Is this possible, if so can you point me to useful documentation?
- Do you have any other suggestion?
-- France Baril Architecte documentaire / Documentation architect france.baril@architextus.com (514) 572-0341
BaseX-Talk mailing list BaseX-Talk@mailman.uni-konstanz.de https://mailman.uni-konstanz.de/mailman/listinfo/basex-talk
Hi,
I am using restxq. I started implementing security at the application level, with a prerequisite that the user at least exists in the global context of BaseX.
So far so good.
Thanks,
France
On Mon, Apr 8, 2013 at 3:02 AM, Dirk Kirsten dk@basex.org wrote:
Hello France,
which interface do you use to communicate to BaseX? If you use REST, I don't think an access control with WRITE but without READ access is possible. If you use RestXQ you can have user-level security at the application level. At the start of each function you could have a construct like so:
if (not(security:logged-in($user))) then web:redirect("login-failed.html") else
At the security:logged-in function you would have some kind of logic you determine if this user has access for this page. It seems natural to save $user in a session variable.
Cheers, Dirk
On Mon, Apr 8, 2013 at 3:17 AM, France Baril <france.baril@architextus.com
wrote:
Hi,
I am trying to secure access to some of our content.
Case:
- User reads our content and completes the feedback form.
- A file is saved in our "Feedback" database for each form that is
submitted.
Security:
- Let anonymous users WRITE to the DB using the web form
- Do not allow unauthenticated users to READ comments.
Solution so far to avoid making user/password known:
- Save feedback in an unsecured DB.
- Redirect to function that moves the feedback file to a secured DB.
Issue:
- Security seems to limit access to files when they are addressed as
db:open(DB, path).
- All functions that grab data, crunch the data and display it in an
HTML table seem to remain available to everyone.
Questions:
- Instead of securing the DB, we were thinking of securing the
functions: Open access to 'submit-comment' for all users, require authentication for all other functions. Is this possible, if so can you point me to useful documentation?
- Do you have any other suggestion?
-- France Baril Architecte documentaire / Documentation architect france.baril@architextus.com (514) 572-0341
BaseX-Talk mailing list BaseX-Talk@mailman.uni-konstanz.de https://mailman.uni-konstanz.de/mailman/listinfo/basex-talk
-- Dirk Kirsten, BaseX GmbH, http://basex.org |-- Firmensitz: Blarerstrasse 56, 78462 Konstanz |-- Registergericht Freiburg, HRB: 708285, Geschäftsführer: | Dr. Christian Grün, Alexander Holupirek, Michael Seiferle `-- Phone: 0049 7531 28 28 676, Fax: 0049 7531 20 05 22
basex-talk@mailman.uni-konstanz.de
-
Dirk Kirsten -
France Baril