Don't neglect the built-in xdmp security functions either:
http://developer.marklogic.com/pubs/4.2/apidocs/Security.html
But that module import behavior doesn't sound right to me. Here's a test that I
ran with 5.0-1:
xdmp:eval('
import module "http://marklogic.com/xdmp/security"; at "/MarkLogic/security.xqy";
xdmp:get-current-user(),
xdmp:get-current-roles()', (), <options xmlns="xdmp:eval">
{
element user-id { xdmp:user('nobody') }
}
</options>),
xdmp:role('app-user')
=>
nobody
14918370877051183774
14918370877051183774
When I look at
http://localhost:8001/role-info.xqy?section=security&role=14918370877051183774
I see that the app-user role has very few privileges: xdmp:value,
xdmp:with-namespaces, xdmp:xslt-invoke. I don't think any of those will have
have any effect on module imports.
But just for fun I also tried removing the app-user role from nobody. I was
still able to evaluate the above query, with the expected results:
nobody
14918370877051183774
So I think you may be hitting a bug in an older release, or perhaps something
else is wrong with the install that you are developing against.
-- Mike
On 14 Nov 2011, at 11:07 , Tim Meagher wrote:
> Hi Danny,
>
> I was reviewing my code and noticed that the pertinent modules don’t actually
> reference any of the sec: functions, so I removed the imports and no more
> complaints.
>
> Unfortunately the users do not have access to other custom modules in the
> Modules database, so I’m wondering if there is a require roled for non-admin
> users to access the Modules database.
>
> Thank you!
>
> Tim
>
> From: [email protected]
> [mailto:[email protected]] On Behalf OfDanny Sokolsky
> Sent: Monday, November 14, 2011 1:59 PM
> To: General MarkLogic Developer Discussion
> Subject: Re: [MarkLogic Dev General] XDMP-MODNOTFOUND: (err:XQST0059) Module
> /opt/MarkLogic/Modules/MarkLogic/security.xqy not found
>
> Hi Tim,
>
> 4 points here:
>
> 1) If you want your code to import the security module, it should import
> it at the path “/MarkLogic/security.xqy” as / resolves relative to the
> Modules directory.
> 2) Your users will not be able to run code in that module unless they
> have the security role, and you do not want to give them the security role
> (as then they can do almost anything). So you will have to encapsulate that
> code into your own function and then amp that function.
> 3) Note the security.xqy needs to be run against the security database,
> so you will probably need to do an eval or invoke against the security db.
> 4) If what you are talking about is permissions as you say, then
> security.xqy is likely not the tool you need. Permissions are on documents,
> not stored in the security db. Users should be able to see the permissions
> of documents that they have permissions to read (using
> xdmp:document-get-permissions, for example).
>
> I think point 1 is probably what you are running into, but I also think this
> is probably not going to do what you think it is, so you might want to step
> back and look at what you are trying to do.
>
> -Danny
>
> From: [email protected]
> [mailto:[email protected]] On Behalf OfTim Meagher
> Sent: Monday, November 14, 2011 10:44 AM
> To: 'General MarkLogic Developer Discussion'
> Subject: [MarkLogic Dev General] XDMP-MODNOTFOUND: (err:XQST0059) Module
> /opt/MarkLogic/Modules/MarkLogic/security.xqy not found
>
> I have written a module that checks user permissions before deciding what
> features they can access in a web form. The code imports the security module
> which is mapped to /opt/MarkLogic/Modules/MarkLogic/security.xqy, but it
> appears that non-admin users cannot find the security module. Is there a
> role that I can simply assign to the pertinent user to avoid this problem?
> I’m running MarkLogic 4.1.
>
> Thank you!
>
> Tim Meagher
> _______________________________________________
> General mailing list
> [email protected]
> http://developer.marklogic.com/mailman/listinfo/general
_______________________________________________
General mailing list
[email protected]
http://developer.marklogic.com/mailman/listinfo/general
