Is the error coming from xqmvc really (in which case follow Danny's suggestion), or are you just using CQ which uses eval on the server-side to execute the code you're posting (in which case it's not a production problem just an issue for testing)?
You're right to be paranoid about eval, though I should point out that if you pass parameters to xdmp:eval() and don't string concatenate, you won't have trouble. Luckily the XQuery concat() is a bit awkward, so it's actually easier to pass params. :) -jh- On Jul 19, 2011, at 4:50 PM, Tim Finney wrote: > Thanks to Danny Sokolsky and Jason Hunter for their helpful suggestions. > > When I try to run the example xqmvc app as nobody I get a SEC-PRIV > error: > > Need privilege: http://marklogic.com/xdmp/privileges/xdmp-eval > > Does this mean I have to give my "public" user the ability to do > xdmp:eval? I would prefer not to do this as I am paranoid about > injection attacks. > > To be more specific, has anyone come up with a rendition of xqmvc that > allows public access to database docs but does not require nobodies to > be given the ability to do xdmp:eval (or invoke)? > > Tim Finney > > > _______________________________________________ > General mailing list > General@developer.marklogic.com > http://developer.marklogic.com/mailman/listinfo/general _______________________________________________ General mailing list General@developer.marklogic.com http://developer.marklogic.com/mailman/listinfo/general
