Re: [basex-talk] Letting users WRITE comments, but not READ them.

Mon, 08 Apr 2013 00:02:13 -0700 

Hello France,

which interface do you use to communicate to BaseX? If you use REST, I
don't think an access control with WRITE but without READ access is
possible.
If you use RestXQ you can have user-level security at the application
level. At the start of each function you could have a construct like so:

if (not(security:logged-in($user))) then web:redirect("login-failed.html")
else

At the security:logged-in function you would have some kind of logic you
determine if this user has access for this page. It seems natural to save
$user in a session variable.

Cheers,
Dirk


On Mon, Apr 8, 2013 at 3:17 AM, France Baril
<[email protected]>wrote:

> Hi,
>
> I am trying to secure access to some of our content.
>
> Case:
>
>    1. User reads our content and completes the feedback form.
>    2. A file is saved in our "Feedback" database for each form that is
>    submitted.
>
> Security:
>
>    - Let anonymous users WRITE to the DB using the web form
>    - Do not allow unauthenticated users to READ comments.
>
> Solution so far to avoid making user/password known:
>
>    1. Save feedback in an unsecured DB.
>    2. Redirect to function that moves the feedback file to a secured DB.
>
> Issue:
>
>    - Security seems to limit access to files when they are addressed as
>    db:open(DB, path).
>    - All functions that grab data, crunch the data and display it in an
>    HTML table seem to remain available to everyone.
>
> Questions:
>
>    - Instead of securing the DB, we were thinking of securing the
>    functions: Open access to 'submit-comment' for all users, require
>    authentication for all other functions.
>    Is this possible, if so can you point me to useful documentation?
>    - Do you have any other suggestion?
>
>
> --
> France Baril
> Architecte documentaire / Documentation architect
> [email protected]
> (514) 572-0341
>
> _______________________________________________
> BaseX-Talk mailing list
> [email protected]
> https://mailman.uni-konstanz.de/mailman/listinfo/basex-talk
>
>


-- 
Dirk Kirsten, BaseX GmbH, http://basex.org
|-- Firmensitz: Blarerstrasse 56, 78462 Konstanz
|-- Registergericht Freiburg, HRB: 708285, Geschäftsführer:
|   Dr. Christian Grün, Alexander Holupirek, Michael Seiferle
`-- Phone: 0049 7531 28 28 676, Fax: 0049 7531 20 05 22

_______________________________________________
BaseX-Talk mailing list
[email protected]
https://mailman.uni-konstanz.de/mailman/listinfo/basex-talk

Reply via email to