Hi Erik, I am using MarkLogic 8.0-1.1. The bugfix does not solve the problem for me because a user with the rest-writer privilege without any URI privilege can still create arbitrary documents (whose URIs are not protected by any URI privilege).
In my opinion the rest-writer privilege should not automatically amp the unprotected-uri privilege. Andreas 2015-04-16 18:12 GMT+02:00 Erik Hennum <[email protected]>: > Hi, Andreas and Geert: > > In 7.0-5 / 8.0-1, a bug fix (31026 / 31027) switched the REST writer from > any-uri > to unprotected-uri privilege. The REST admin continues to have any-uri > privilege. > > Did that fix resolve the problem or are there additional issues? > > > Erik Hennum > > ------------------------------ > *From:* [email protected] [ > [email protected]] on behalf of Geert Josten [ > [email protected]] > *Sent:* Thursday, April 16, 2015 2:48 AM > *To:* MarkLogic Developer Discussion > *Subject:* Re: [MarkLogic Dev General] rest-writer and URI privileges > > Hi Andreas, > > I think I raised either a bug or an RFE for that. It is almost > positively due to amping of internal functions within the REST-api, which > effectively assigns both any-uri, and any-collection.. > > Best option you have at this moment is to use protected collections. > Haven’t looked at that closely though.. > > Cheers, > Geert > > From: Andreas Hubmer <[email protected]> > Reply-To: MarkLogic Developer Discussion <[email protected]> > Date: Thursday, April 16, 2015 at 10:15 AM > To: MarkLogic Developer Discussion <[email protected]> > Subject: [MarkLogic Dev General] rest-writer and URI privileges > > Hi, > > I would like to restrict the URIs for which a user can create documents > via REST. > > My setup so far is: > * a user 'app-user' which is assigned the role 'app-role' (nothing else) > * no other role is assigned to the 'app-role' > * the 'app-role' has execute privileges for rest-reader, rest-writer > and xdbc:invoke (for non-rest calls) > * the 'app-role' has default permissions for update and read > > It surprises me that the user is able to create arbitrary documents via > REST. I would expect that URI privileges or the unprotected-uri/any-uri > execute privilege are necessary. > > Is there anything I am missing? > How can I restrict the URIs for which the REST user can create documents? > > Regards, > Andreas > > > -- > Andreas Hubmer > IT Consultant > > EBCONT enterprise technologies GmbH > > OUR TEAM IS YOUR SUCCESS > > UID-Nr. ATU68135644 > HG St.Pölten - FN 399978 d > > _______________________________________________ > General mailing list > [email protected] > Manage your subscription at: > http://developer.marklogic.com/mailman/listinfo/general > > -- Andreas Hubmer IT Consultant EBCONT enterprise technologies GmbH Millennium Tower Handelskai 94-96 A-1200 Vienna Mobile: +43 664 60651861 Fax: +43 2772 512 69-9 Email: [email protected] Web: http://www.ebcont.com OUR TEAM IS YOUR SUCCESS UID-Nr. ATU68135644 HG St.Pölten - FN 399978 d
_______________________________________________ General mailing list [email protected] Manage your subscription at: http://developer.marklogic.com/mailman/listinfo/general
