Changes

This article is part of the [[Advanced User's Guide]].The user management defines which permissions are requiredby a user to perform a database command or XQuery expression.

Permissions are mostly relevant in the client/server architecture, as the[[Standalone ModeGUI]] and the [[GUICommand-Line Client]] is run with admin permissions.There are a few exceptions such as the [[XQuery Module#xquery:eval|xquery:eval]] function:its Its execution scope can also be limited by specifying a permission.

With {{Version|8.0}}, the user management has been reworked: * Permissions can now be '''manually edited''', as they are stored as XML.* The permission file has been moved from the home directory to the '''database directory'''. It was renamed from {{Code|.basexperm}} to {{Code|users.xml}}.* Local permissions are now defined for database '''glob patterns''' instead Please take care of single databases. Both local and global permissions are stored in the same file.* A new [[User Module]] is available, which allows user management via '''XQuery'''.* The md5 password hash has been replaced with '''salted sha256''' and '''digest''' hashes (the current timestamp will be used as salt). Moreover, passwords in commands and XQuery functions are now specified in '''plain text''' (yes!). The rationale behind this is: * The server can now create different hashes from the original password.* The encoding as md5 has not been safe anyway, because md5 hashes for popular passwords can be easily uncovered with rainbow tables. As general usual security measures, please : ensure that your password will not end up in your bash history, and avoid sending passwords via ordinary REST requests, etc.

[[File:perms.png|none|thumb|403px|Permissions hierarchy]]

==CommandsOperations==

Admin For all operations, admin permissions are required to execute all of the following commands: =Commands=

==XQuery== The available user functions are listed in the [[User Module]]: '''Create user 'test' with no permissions:''' <code>user:create('test', 'top-secret')</code> '''Show detailed information about user 'test':''' <code>&gt; XQUERY user:list-details()[@name = 'test']</code> '''Drop user 'test':''' <code>user:drop('test')</code>

<code>&gtThe permission file {{Code|users.xml}} is stored in the database directory. This file can be manually edited; XQUERY user:drop('test')</code> it will be parsed once when BaseX is started.

Salted SHA256 hashes are used for authentication (the current timestamp will be used as salt). Additionally, digest hashes are used in the client/server architecture and the [[Category:ServerClients|Language Bindings]], and in the [[Category:InternalsWeb Application|HTTP Context]]if {{Option|AUTHMETHOD}} is set to {{Code|Digest}}.