Menu
▾
▴
Re: [Exist-open] [Exist-development] [HEADS-UP] Merge in of Security Branch
|
From: Dmitriy S. <sha...@gm...> - 2012-02-08 04:40:17
|
On Wed, Feb 8, 2012 at 7:45 AM, Joe Wicentowski <jo...@gm...> wrote:
> In adapting my applications to the new security architecture, I wanted
> to report my experience and a problem I had.
>
> The immediate problem was that my .xq files, called via the browser,
> were not executing for guest users, even though I thought I understood
> your advice below and set the .xq file's permissions for world to --x.
> The error as reported in the browser said, "Not Allowed To Read
> Collection". I was a bit confused by this since the parent
> collection's permissions allowed reads. No other information appeared
> in exist.log or any other logs, so my troubleshooting led me to
> examine permissions on an expath repo package (demo.xar) I installed
> via the admin page. I saw its permissions on .xq files for world was
> r-x.
>
> In hindsight I realize I was reading your advice below too literally.
> It makes sense that to "execute" a .xq via web browser, we need to not
> only make it "executable" but also "readable".
>
> The new documentation at http://localhost:8080/exist/security.xml is
> very full, but I didn't see anything in the tables in the "Operational
> Permissions" section to the effect that "r-x" is required to "execute
> a .xq file in the browser". "Execute a .xq" probably isn't the right
> terminology ("view" a .xq? "call" a .xq?), but I hope it's clear.
>
This is a bug, IMHO. Can you send trace?
--
Dmitriy Shabanov
|