New subject: User rights: does using db:add really need the GLOBAL write permission?

26 Sep 2012

      Hi all,

In 7.3, I am using db:add (through a XQJ XQPreparedExpression) to add
documents to a database. For a BaseX user to do that, I need to grant
that database user the GLOBAL write permissions. With just LOCAL write
permissions, I get:

    javax.xml.xquery.XQQueryException: [BASX0001]: WRITE permission required.

Is this the expected behaviour?

This is troublesome, as the GLOBAL write permission also gives that
user read and write permissions on ALL other databases, unless these
permissions are explicitly revoked. So, as a workaround, I can grant
all user GLOBAL write permissions, and then explicitly deny all users
LOCAL permissions to all existing databases that are not theirs.

(Reading is not a problem with just local permissions. And as an
aside: using "-i" on the command line even seems to require global
CREATE permissions. But I don't really use that.)

Any thoughts?

Details below.
Arjan.

# 1. Create database and a user, with password "secret":

./basexclient -U admin -P admin
...
create db db1
Database 'db1' created in 11.05 ms.
...
create user user1 5ebe2294ecd0e0f08eab7690d2a6ee69
User 'user1' created.
...
grant write on db1 to user1
WRITE granted to 'user1' on 'db1'.
...
show users on db1
Username  Read  Write

user1     X     X

1 Users.

# 2. Let's this user access their own database.
# Odd, using the command line "-i" even needs CREATE permissions?

./basexclient -U user1 -P secret -i db1
CREATE permission needed.

# 3. Let's ignore that for now; using "open" works just fine:

./basexclient -U user1 -P secret
...
open db1
Database 'db1' was opened in 0.91 ms.
...
xquery db:add("db1", "<test><a>created by user1</a></test>", "test-doc-1")
Stopped at line 1, column 67:
[BASX0001] WRITE permission required.
# 4. Okay, let's give the user the GLOBAL write permissions

./basexclient -U admin -P admin
...
grant write to user1
WRITE granted to 'user1'.
show users
Username   Read  Write  Create  Admin

admin      X     X      X       X
user1      X     X

2 Users.

# 5. All fine for user1 now:

./basexclient -U user1 -P secret
...
xquery db:add("db1", "<test><a>created by user1</a></test>", "test-doc-1")
Query executed in 6.18 ms.
# 6. Let's create another user, with their own database, and the
GLOBAL write as well:

./basexclient -U admin -P admin
...
create db db2
Database 'db2' created in 5.09 ms.
...
create user user2 5ebe2294ecd0e0f08eab7690d2a6ee69
User 'user2' created.
...
grant write to user2
WRITE granted to 'user2'.
...
grant write on db2 to user2
WRITE granted to 'user2' on 'db2'.
...
show users
Username   Read  Write  Create  Admin

admin      X     X      X       X
user1      X     X
user2      X     X

3 Users.
...
show users on db1
Username  Read  Write

user1     X     X

1 Users.
...
show users on db2
Username  Read  Write

user2     X     X

1 Users.

# 7. And prove that user2 can now access db1, due to the global WRITE
permissions:
...
open db1
Database 'db1' was opened in 1.9 ms.
...
xquery db:add("db1", "<test><a>created by user2 in db1</a></test>", "test-doc-2")
Query executed in 1.27 ms.
...
xquery /
<test>
  <a>created by user1</a>
</test><test>
  <a>created by user2 in db1</a>
</test>
Query executed in 0.72 ms.
# 8. That's bad. Let's explicitly revoke permissions from user2:
...
grant none on db1 to user2
NONE granted to 'user2' on 'db1'.
...
show users on db1
Username  Read  Write

user1     X     X
user2

2 Users.

# 9. And have that user try again:

./basexclient -U user2 -P secret
...
open db1
READ permission needed.
...
xquery db:add("db1", "<test><a>created by user2 in db1</a></test>", "test-doc-3")
Stopped at line 1, column 74:
[BXDB0002] READ permission needed.
# That's more like it. But: what when I forget that one day...?

http://docs.basex.org/wiki/User_Management
http://docs.basex.org/wiki/Database_Module#Updates

User rights: does using db:add really need the GLOBAL write permission?

Arjan van Bentem

Christian Grün

tags

participants (2)