Hi, Andreas and Geert: In 7.0-5 / 8.0-1, a bug fix (31026 / 31027) switched the REST writer from any-uri to unprotected-uri privilege. The REST admin continues to have any-uri privilege.
Did that fix resolve the problem or are there additional issues? Erik Hennum ________________________________ From: [email protected] [[email protected]] on behalf of Geert Josten [[email protected]] Sent: Thursday, April 16, 2015 2:48 AM To: MarkLogic Developer Discussion Subject: Re: [MarkLogic Dev General] rest-writer and URI privileges Hi Andreas, I think I raised either a bug or an RFE for that. It is almost positively due to amping of internal functions within the REST-api, which effectively assigns both any-uri, and any-collection.. Best option you have at this moment is to use protected collections. Haven’t looked at that closely though.. Cheers, Geert From: Andreas Hubmer <[email protected]<mailto:[email protected]>> Reply-To: MarkLogic Developer Discussion <[email protected]<mailto:[email protected]>> Date: Thursday, April 16, 2015 at 10:15 AM To: MarkLogic Developer Discussion <[email protected]<mailto:[email protected]>> Subject: [MarkLogic Dev General] rest-writer and URI privileges Hi, I would like to restrict the URIs for which a user can create documents via REST. My setup so far is: * a user 'app-user' which is assigned the role 'app-role' (nothing else) * no other role is assigned to the 'app-role' * the 'app-role' has execute privileges for rest-reader, rest-writer and xdbc:invoke (for non-rest calls) * the 'app-role' has default permissions for update and read It surprises me that the user is able to create arbitrary documents via REST. I would expect that URI privileges or the unprotected-uri/any-uri execute privilege are necessary. Is there anything I am missing? How can I restrict the URIs for which the REST user can create documents? Regards, Andreas -- Andreas Hubmer IT Consultant EBCONT enterprise technologies GmbH OUR TEAM IS YOUR SUCCESS UID-Nr. ATU68135644 HG St.Pölten - FN 399978 d
_______________________________________________ General mailing list [email protected] Manage your subscription at: http://developer.marklogic.com/mailman/listinfo/general
