Hi, I am using restxq. I started implementing security at the application level, with a prerequisite that the user at least exists in the global context of BaseX.
So far so good. Thanks, France On Mon, Apr 8, 2013 at 3:02 AM, Dirk Kirsten <[email protected]> wrote: > Hello France, > > which interface do you use to communicate to BaseX? If you use REST, I > don't think an access control with WRITE but without READ access is > possible. > If you use RestXQ you can have user-level security at the application > level. At the start of each function you could have a construct like so: > > if (not(security:logged-in($user))) then web:redirect("login-failed.html") > else > > At the security:logged-in function you would have some kind of logic you > determine if this user has access for this page. It seems natural to save > $user in a session variable. > > Cheers, > Dirk > > > On Mon, Apr 8, 2013 at 3:17 AM, France Baril <[email protected] > > wrote: > >> Hi, >> >> I am trying to secure access to some of our content. >> >> Case: >> >> 1. User reads our content and completes the feedback form. >> 2. A file is saved in our "Feedback" database for each form that is >> submitted. >> >> Security: >> >> - Let anonymous users WRITE to the DB using the web form >> - Do not allow unauthenticated users to READ comments. >> >> Solution so far to avoid making user/password known: >> >> 1. Save feedback in an unsecured DB. >> 2. Redirect to function that moves the feedback file to a secured DB. >> >> Issue: >> >> - Security seems to limit access to files when they are addressed as >> db:open(DB, path). >> - All functions that grab data, crunch the data and display it in an >> HTML table seem to remain available to everyone. >> >> Questions: >> >> - Instead of securing the DB, we were thinking of securing the >> functions: Open access to 'submit-comment' for all users, require >> authentication for all other functions. >> Is this possible, if so can you point me to useful documentation? >> - Do you have any other suggestion? >> >> >> -- >> France Baril >> Architecte documentaire / Documentation architect >> [email protected] >> (514) 572-0341 >> >> _______________________________________________ >> BaseX-Talk mailing list >> [email protected] >> https://mailman.uni-konstanz.de/mailman/listinfo/basex-talk >> >> > > > -- > Dirk Kirsten, BaseX GmbH, http://basex.org > |-- Firmensitz: Blarerstrasse 56, 78462 Konstanz > |-- Registergericht Freiburg, HRB: 708285, Geschäftsführer: > | Dr. Christian Grün, Alexander Holupirek, Michael Seiferle > `-- Phone: 0049 7531 28 28 676, Fax: 0049 7531 20 05 22 > -- France Baril Architecte documentaire / Documentation architect [email protected] (514) 572-0341
_______________________________________________ BaseX-Talk mailing list [email protected] https://mailman.uni-konstanz.de/mailman/listinfo/basex-talk
