Hi Matthew, The challenge you’ll face is that a RESTXQ application always works with ADMIN permissions (unless you change that in the web.xml configuration). If you allow logins for users with lower permissions in the DBA, you’ll have to simulate this permission level, i.e., decide in the DBA code which operation will be allowed for the current user.
I could be tricky to that for e.g. the Database Panel; xquery:eval could possibly be used instead of direct db:list (etc) calls, and the permission of the current user could be supplied as an argument [1]. The easier solution would certainly be to suppress the Database Panel for all users that have no 'create' or 'admin' permissions. For the Query Panel, it’s more obvious: You may have seen that the permission level can already be controlled via the settings. If a user has fewer permissions, this setting can be combined with the permission of the current user (the lowest value should be applied). For the Jobs Panel, it’s easy again: It should only be visible for admin users. Cheers, Christian [1] https://docs.basex.org/wiki/XQuery_Module#xquery:eval On Wed, Aug 30, 2023 at 5:28 PM Matthew Dziuban <mrdziu...@gmail.com> wrote: > Hi Christian, > > Thanks for the feedback! If I'm reading the code correctly, my > understanding was that the permissions you mentioned should already be > enforced: > > - admin:logs() specifies Perm::ADMIN [1] > - db:list() calls ctx.listDBs() which says it should return the > databases for which the current user has read access [2] > - job:list-details() specifies Perm::ADMIN [3] > > I can update my fork to disallow access to the Logs and Jobs panels, but > is it an issue in the java code that the relevant permissions aren't being > enforced? > > Thanks again, > Matt > > [1] > https://github.com/BaseXdb/basex/blob/10.7/basex-core/src/main/java/org/basex/query/func/Function.java#L871 > [2] > https://github.com/BaseXdb/basex/blob/10.7/basex-core/src/main/java/org/basex/core/Context.java#L283 > [3] > https://github.com/BaseXdb/basex/blob/10.7/basex-core/src/main/java/org/basex/query/func/Function.java#L1534 > > On Wed, Aug 30, 2023 at 7:41 AM Christian Grün <christian.gr...@gmail.com> > wrote: > >> Hi Matthew, >> >> Thanks for providing me access to your fork. I’ve done some quick tests, >> and I noticed the following: >> >> • The Database panel should only list those databases that a particular >> user has access to. >> • It must not be allowed to run queries like admin:logs() unless you have >> 'admin' permissions. More generally, the permissions used for running >> queries must not be more powerful than those of the current user. >> • The Jobs panel must be limited to Admin users; at least that’s how our >> current permission model is designed (the current solution could possibly >> be enhanced, such that users with fewer permissions could see their own >> jobs). >> >> You can either try the BaseX client to find out what users with fewer >> permissions are allowed to do, or you can look into the code [1]. >> >> Hope this helps; feel free to ask for more details, >> Christian >> >> [1] >> https://github.com/BaseXdb/basex/blob/main/basex-core/src/main/java/org/basex/query/func/Function.java >> >> >> >> On Mon, Aug 21, 2023 at 7:34 PM Matthew Dziuban <mrdziu...@gmail.com> >> wrote: >> >>> Hi all, >>> >>> While the subject might sound contradictory, I'm curious what you think >>> about opening up the DBA code to allow non-admin users to access it and >>> perform actions for which they have permissions? >>> >>> I currently maintain and run a fork of the DBA web app at work to make >>> this possible, but I'd love to have the behavior built into BaseX if >>> possible. You can view the changes I've made against BaseX 10.7 here: >>> https://github.com/mblink/basex-webapp/compare/upstream-webapp...webapp-10.7 >>> >>> If you're open to this, I'd be happy to open a pull request with my >>> changes! >>> >>> Thanks, >>> Matt >>> >>> > > -- > Matthew R. Dziuban > mattdziuban.com > 703-973-6717 > mrdziu...@gmail.com >
