Bureaucrats, editor, reviewer, Administrators
13,550
edits
Changes
Jump to navigation
Jump to search
</pre>
<pre class="brush:xquery">
If several permission functions are available that match the user request, all of them will be called one by one. The function with the shorted path argument will be called first. Accordingly, in the example, if the {{Code|/main/admin}} URL is requested, all three security functions will be run.Notes:
no edit summary
All permission [[XQuery 3.0#Annotations|annotations]] are assigned to the <code><nowiki>http://basex.org/modules/perm</nowiki></code> namespace, which is statically bound to the {{Code|perm}} prefix.
=PermissionsAnnotations=
==Permission Strings==
Functions that are marked with {{Code|%perm:check}} will be invoked before the actual target function will be evaluated. Two arguments can be specified with the annotation:
* The first A path argument ensures that can be specified with the first argument. Such a function will only be called if the request path starts with the given string. In contrast to RESTXQ, all subordinate paths are included here.* The With the second argument binds the , various permission strings of the invoked function, and some other request -specific information, can be bound to a variablemap.
An example:
(:~
: Global permission checks.
: Rejects any usage of the HTTP DELETE method.
:)
declare %perm:check %rest:DELETE function local:check() { let $method := Request:method() where $method != 'GET' return error((), 'Access is restricted denied to GET DELETE method.')
};
(:~
: Permission check: Area for logged-in users.
</pre>
* If several permission functions are available that match the user request, all of them will be called one by one. The function with the shorted path argument will be called first. Accordingly, in the example, if the {{Code|/main/admin}} URL is requested, all three security functions will be run.* If a security function raises an error or returns any result (which can be a redirection or any other XQuery value), no other functions will be invoked. This means that the actually invoked function will only be evaluated if all security functions yield no result or error.* As shown in the first function, the {{Code|%perm:check}} annotation can be combined with other RESTXQ annotations (excluding {{Code|%rest:path}} and {{Code|%rest:error}}).
The map , which can be bound to a variable (in this example {{Code|$perm}} ), has the following keys:
{| class="wikitable" width="100%"
| Method of the client request ({{Code|GET}}, {{Code|POST}}, …)
|}
The permission layer was designed to provide as much flexibility as possible to the web application developer. Some extreme cases:
* It is possible to completely work without permission strings, and realize all access checks based on the request information (path, method, and properties returned by the [[Request Module]]).
* Each RESTXQ function can be accompanied by its individual security function.
The bare minimum is a single {{Code|%perm:check}} function. Without this function, existing {{Code|%perm:allow}} annotations will be ignored.
==Authentication==
There are numerous ways how users can be authenticated in a web application:
* A login HTML page allows you to enter your credentials (user name, password).
* A login check function verifies the input. If the input is valid, a session id will be set, and the user will be redirected to the main page. Otherwise, (s)he will be redirected back to the login page.
* A logout page deletes the session id.
This is demonstrated by the following example:
<pre class="brush:xquery">
declare
%rest:path("/")
%output:method("html")
function local:login() {
<html>
<form action="login-check" method="post">
<input name="name"/>
<input type="password" name="pass"/>
<input type="submit"/>
</form>
</html>
};
declare
%rest:path("/login-check")
%rest:query-param("name", "{$name}")
%rest:query-param("pass", "{$pass}")
function local:login($name, $pass) {
try {
user:check($name, $pass),
Session:set('id', $name),
web:redirect("/main")
} catch user:* {
web:redirect("/")
}
};
declare
%rest:path("/logout")
function local:logout() {
Session:delete($cons:SESSION-KEY),
web:redirect("/")
};
</pre>
For a full round trip, check out the source code of the [[DBA]] that is bundled with BaseX.
=Changelog=
The Module was introduced with Version 9.0.
