Jeroen,
If you push the xdmp:security-assert() into a separate function called
form your amp'd function, you'll get your expected behavior (assuming
your amp is configured appropriately).
The xdmp:security-assert() call does not take into consideration any
amp'd roles on the immediate function, only those that were in effect
prior to calling the function.
Wayne.
On Wed, 2009-10-07 at 05:01 -0700, Jeroen Pulles wrote:
> Hi,
>
> I want to use an amp to get to the role names for the role id's on the
> document permissions. So I add my user's role to the get-role-names
> amp.
>
> How come I still get a privilege exception for this user?
>
> My understanding of amps is that once a role has the amp token for a
> function, that role has root powers that include any privilege inside
> the function body.
>
> SEC-PRIV:
> xdmp:security-assert("http://marklogic.com/xdmp/privileges/get-role-names";,
> "execute") -- Need privilege:
> http://marklogic.com/xdmp/privileges/get-role-names
>
> in /MarkLogic/security.xqy, on line 707
> expr:
> xdmp:security-assert("http://marklogic.com/xdmp/privileges/get-role-names";,
> "execute"),
>
> in sec:get-role-names(xs:unsignedLong("5500450759246938400"))
> in /content/save_check_role-names.xqy, on line 9
>
> regards,
> Jeroen
>
_______________________________________________
General mailing list
[email protected]
http://xqzone.com/mailman/listinfo/general
