Menu
▾
▴
Re: [Exist-development] [HEADS-UP] Merge in of Security Branch
|
From: Adam R. <ad...@ex...> - 2012-02-08 14:35:58
|
This is NOT a bug. It is intended behaviour.
On Feb 8, 2012 4:40 AM, "Dmitriy Shabanov" <sha...@gm...> wrote:
> On Wed, Feb 8, 2012 at 7:45 AM, Joe Wicentowski <jo...@gm...> wrote:
>
>> In adapting my applications to the new security architecture, I wanted
>> to report my experience and a problem I had.
>>
>> The immediate problem was that my .xq files, called via the browser,
>> were not executing for guest users, even though I thought I understood
>> your advice below and set the .xq file's permissions for world to --x.
>> The error as reported in the browser said, "Not Allowed To Read
>> Collection". I was a bit confused by this since the parent
>> collection's permissions allowed reads. No other information appeared
>> in exist.log or any other logs, so my troubleshooting led me to
>> examine permissions on an expath repo package (demo.xar) I installed
>> via the admin page. I saw its permissions on .xq files for world was
>> r-x.
>>
>> In hindsight I realize I was reading your advice below too literally.
>> It makes sense that to "execute" a .xq via web browser, we need to not
>> only make it "executable" but also "readable".
>>
>> The new documentation at http://localhost:8080/exist/security.xml is
>> very full, but I didn't see anything in the tables in the "Operational
>> Permissions" section to the effect that "r-x" is required to "execute
>> a .xq file in the browser". "Execute a .xq" probably isn't the right
>> terminology ("view" a .xq? "call" a .xq?), but I hope it's clear.
>>
>
> This is a bug, IMHO. Can you send trace?
>
> --
> Dmitriy Shabanov
>
|
