Hi Chris, I have uploaded a new snapshot [1], it should allow you to run your script with BaseX client instances.
I decided to check permissions only at execution time. This might lead to incomplete transactions. This shouldn’t be a big deal, though: The existing architecture couldn’t prevent incomplete runs anyway, as XQuery is simply too powerful for that. And it wouldn’t work to check all permissions before the execution of a script, because a script may create new scripts that are not available at compile time yet. Your feedback is welcome. Christian [1] http://files.basex.org/releases/latest/ On Mon, Apr 27, 2020 at 3:14 AM DYER Chris <chris.d...@sydac.com> wrote: > > Hi Christian, > Thanks for getting back to me, > > I agree I would think the better solution would be doing the same check that > is being done for rest for the BaseXclient. > Hopefully isn't too much work if some code is already in place. > > I don't think it sounds very useful in terms of query functionality to > effectively enforce all server side scripts to require admin privileges. > We are using some server side query scripts to access data and present it in > some specific structure for our clients (which most only need read access). > We would prefer to not have all our client applications run with admin access > for this if not required. > > However, in the interest of reducing processing on each call, you could allow > both options. > Perhaps an options flag to lock scripts to admin permissions, (for both rest > and basexclient) that could mean a simpler check. > > You could also potentially add an optional flag to the query script (similar > to the %updating flag). > This might reduce the need to process the rest of the script in the cases > where this flag has already restricted the current user permissions. > > Cheers, > Chris > > -----Original Message----- > From: Christian Grün <christian.gr...@gmail.com> > Sent: Sunday, 26 April 2020 9:25 PM > To: DYER Chris <chris.d...@sydac.com> > Cc: basex-talk@mailman.uni-konstanz.de > Subject: Re: [basex-talk] BaseXClient command line run query requiring admin > permissions? > > Hi Chris, > > Sorry for letting you wait. These are the current conditions: > > With REST, the permission of each command of a script is currently checked > immediately before its execution. If a single command does not have enough > permissions, the execution of the command, and all subsequent commands, will > be canceled. > > If the BaseX client is used, permissions are checked before the supplied > script is accessed. As a script may contain admin commands, ADMIN permissions > are required for any script. > > The status quo is inconsistent indeed. The most flexible approach would be to > first check all commands and queries before eventually executing them. As > this requires full parsing of XQuery expressions, this would require some > basic changes in the permission check architecture. > > The simpler solution would be to restrict REST scripts to ADMIN permissions, > but I guess that this would break running application… Including yours? > > Best, > Christian