Hello France,

which interface do you use to communicate to BaseX? If you use REST, I don't think an access control with WRITE but without READ access is possible.
If you use RestXQ you can have user-level security at the application level. At the start of each function you could have a construct like so:

if (not(security:logged-in($user))) then web:redirect("login-failed.html") else

At the security:logged-in function you would have some kind of logic you determine if this user has access for this page. It seems natural to save $user in a session variable.

Cheers,
Dirk


On Mon, Apr 8, 2013 at 3:17 AM, France Baril <france.baril@architextus.com> wrote:
Hi, 

I am trying to secure access to some of our content. 

Case:
  1. User reads our content and completes the feedback form.
  2. A file is saved in our "Feedback" database for each form that is submitted.
Security:
  • Let anonymous users WRITE to the DB using the web form
  • Do not allow unauthenticated users to READ comments.
Solution so far to avoid making user/password known:
  1. Save feedback in an unsecured DB.
  2. Redirect to function that moves the feedback file to a secured DB.
Issue:
  • Security seems to limit access to files when they are addressed as db:open(DB, path).
  • All functions that grab data, crunch the data and display it in an HTML table seem to remain available to everyone. 
Questions:
  • Instead of securing the DB, we were thinking of securing the functions: Open access to 'submit-comment' for all users, require authentication for all other functions.
    Is this possible, if so can you point me to useful documentation?
  • Do you have any other suggestion?

--
France Baril
Architecte documentaire / Documentation architect
france.baril@architextus.com
(514) 572-0341

_______________________________________________
BaseX-Talk mailing list
BaseX-Talk@mailman.uni-konstanz.de
https://mailman.uni-konstanz.de/mailman/listinfo/basex-talk




--
Dirk Kirsten, BaseX GmbH, http://basex.org
|-- Firmensitz: Blarerstrasse 56, 78462 Konstanz
|-- Registergericht Freiburg, HRB: 708285, Geschäftsführer:
|   Dr. Christian Grün, Alexander Holupirek, Michael Seiferle
`-- Phone: 0049 7531 28 28 676, Fax: 0049 7531 20 05 22