Menu
▾
▴
Re: [Exist-development] [HEADS-UP] Merge in of Security Branch
|
From: Joe W. <jo...@gm...> - 2012-02-08 23:29:16
|
Hi Adam, >> Giving guest users access to eXide is unwise. This issue isn't >> specific to eXide; it applies equally to letting users execute any >> code which could run doc() or util:binary-doc() on a w+r resource. > > Yes and Yes :-) :) > I think my concern is this - your use case if I understand, is that > you want to keep secure information in XQuery files e.g. usernames and > passwords. I dont understand why you would do that, perhaps you can > explain what you are trying to do in general terms, I think there may > be other solutions than the approach that you took maybe. No, it's not that - I don't store usernames or passwords in XQuery files. It's the fact that I simply have no intention of exposing the source code of my site to guest users. My intention is to let guest users view webpages generated by my XQuery files. In my mind the permission to view a webpage generated by an XQuery files should be distinct from the permission to view the XQuery source code. I'm absolutely in favor of your security-minded approach, and I think it's wise to model eXist's security on best practices. I also am not an expert in the unix security model or ACLs, masks, etc. If there's a way to achieve what I described above, I'll be happy! Joe |
