how to check whether a user is able to update or insert any document in marklogic database or not ?
For example , there are 4 user and some have permission to update and some have permission to read document in marklogic database
try{
let $uri := abc.xml
let $doc : <a/>
if (condition)
then check whether the current user is able to update or insert the doc in marklogic or not , if it is not then throw fn:error()
else
xdmp:document-insert($uri,$doc) (:it will throw error, when user have no permission to insert the doc:)
}
catch($e)
{$e}
The permissions that a user needs in order to insert and update a document will depend upon the user's explicit roles and permissions, as well as default permissions and any explicit permissions set on the document.
https://docs.marklogic.com/guide/admin/security#chapter
https://docs.marklogic.com/xdmp:document-insert
Required Privileges
If a new document is inserted, the unprotected-uri privilege (only if the URI is not protected), the any-uri privilege, or an appropriate URI privilege is also needed. If adding an unprotected collection to a document, the unprotected-collections privilege is needed; if adding a protected collection, the user must have either permissions to update the collection or the any-collection privilege.
If you are updating a document, then you must have the necessary permissions specified for that document (which can include default permissions).
You can list the permissions of the document with xdmp:document-get-permissions() or use the Query Console Explore to select the file and view the permissions tab.
You can list the users roles with sec:user-roles() and privileges with sec:user-privileges()
Use xdmp:document-get-permissions to return which roles have which permission on that specific URI and then intersect that with roles attached to the user of interest, and you will know whether the user can access or update the document or not.
So, to check whether a user has the ability to insert or update a URI, you would want to get that users roles and then see if the permissions from the default permissions or the document permissions have that role and the insert or update capability:
xquery version "1.0-ml";
import module namespace sec="http://marklogic.com/xdmp/security" at "/MarkLogic/security.xqy";
let $name := "user-foo"
let $uri := "/bar.xml"
let $user-roles := xdmp:invoke-function(
function(){ sec:user-get-roles($name) },
<options xmlns="xdmp:eval">
<database>{xdmp:security-database()}</database>
</options>)
let $permissions := (xdmp:default-permissions(), xdmp:document-get-permissions($uri))
return
exists($permissions[sec:capability=('insert', 'update') and sec:role-id/xdmp:role-name(.) = $user-roles])
Related
Within an SS2.0 BeforeLoad script, I'm trying to retrieve the current user/role permission level for a specific record.
The custom record name is customrecord_payments with an internal id of 368.
Using the following:
var permission = runtime.getCurrentUser().getPermission({name:'LIST_CUSTRECORDENTRY368'})
Always returns a value of 4 ("FULL") regardless of the user role logged in, so the code above cannot be correct.
What is the correct "permission" to look up?
To my knowledge, you cannot access the specific permissions of a record, only the permissions that are available on the employee record, which pertain to records as a whole. To get around this, you'll need to maintain the logic in your record as well as the code. So it would be something like:
if ((user.role === role.id) && (context.type === context.UserEventType.EDIT)) {
// ...
}
If you find out otherwise, please let us know!
name:'LIST_CUSTRECORDENTRY368' this would be different for different accounts.
I have retrieved that id by creating a search of type: 'customrecordtype' and then comparing the scriptId , to get the id and then appending it to LIST_CUSTRECORDENTRY. and then getting the permission using getpermission api.
In my current setup I am using Nuxeo with LDAP and CAS integration. Now my requirement is, for some scenarios one user upload the document after login but after certain period of time due to company change the user id may change for that user but will remain part of same tenant. So, after change of the user id too the user wants to see the documents uploaded with earlier user id. A example given below.
User Name:
user1#abc.com –> Uploaded a document name “User1ABC”
user2#abc.com –> Uploaded a document name “User2ABC”
Now due to business need the user name (domain name) may change in the system.
user1#abc.com –> Becomes user1#xyz.com
user2#abc.com –> Becomes user2#xyz.com
In this scenario also the user1 & user2 would like to see the documents uploaded during the earlier user name(user1#abc.com & user2#abc.com).
when this domain name change it will be applicable for all the users under that tenant.
So, how we could achieve that though program or with some other API.
If it's a single shot migration and you're running with a VCS repository (Postgres for instance), you can execute the following request on the acls table :
UPDATE acls SET user="user1#xyz.com" WHERE user = "user1#abc.com"
Depending on where you store your users, you can automate that with a Postgres plpg/SQL procedure iterating over the users table :
CREATE OR REPLACE FUNCTION migrate_user(from_domain varchar, to_domain varchar)
RETURNS integer
AS $$
DECLARE
u RECORD;
i int;
BEGIN
i := 0;
FOR u IN (SELECT username
FROM user
WHERE username like '%#'+ from_domain) LOOP
UPDATE acls SET "user"=replace(u.username,from_domain,to_domain) WHERE user = u.username;
i := i + 1;
END LOOP;
COMMIT;
# Rebuild the read ACLs optimization
SELECT nx_rebuild_read_acls();
RETURN i;
END;
$$ LANGUAGE plpgsql;
I did not test the function (it compiles ;-)), but the idea is here and should work.
After that, restart the Nuxeo server so that all cache is resetted.
How can I check if current user has roles for editing, creating an item in a list in Sequential Workflow ?
I guess you need to implement onWorkflowActivated event (http://msdn.microsoft.com/en-us/library/gg265727.aspx )
To get permission on item level for current user u need:
SPRoleDefinitionBindingCollection usersRoles = mysplistitem.AllRolesForCurrentUser;
see below link for more info;
http://sharepointmalaya.blogspot.com.au/2009/07/validate-user-base-permissions-before.html
To check if current user has permissions on item, folder, list or site use DoesUserHavePermission method
Consider user is denied access to a table of financial secrets:
SELECT * FROM Transactions
SELECT permission denied on object 'Transactions'
No problem:
CREATE VIEW dbo.Transactions2 AS SELECT * FROM Transactions
Command(s) completed succesfully.
SELECT * FROM Transactions2
(84,387,982 row(s) affected)
Are users supposed to be able to bypass deny permissions on a table by aliasing the table?
Edit: Sauce:
This is working as advertised
It's called "ownership chaining"
dbo owns both table and view/function/stored proc
view/function/stored proc references table
table permissions are not checked at all (for GRANT, DENY, whatever)
If you don't want someone to see a column/table, don't have it in the view/function/stored proc. Or add logic/joins to check permissions according to whatever model you've used.
Previous answers: one, two
It's been in SQL Server and Sybase since, well, long time.
Isn't this part of the intent of views in the first place? To enable visibility to certain, specific information from tables when the user does not otherwise have select permissions on the underlying table(s)?
Sounds like the problem here is that the user in question has rights to create a view in the first place.
For example, say you wanted to expose the non-confidential information in that table; you could do that with a view that limits the results only to what you wanted to be seen.
I have been using SharePoint server 2003. I need to retrieve the list of permissions using SPList.Permissions.Xml. But I dont find the permissions given to the user anywhere in the Xml returned.
Say I have a user 'A' whose Login name comes as an attribute in the Xml. But the permissions (such as View, View&Insert, View&Insert&Delete etc.,).
I do not want the site level permissions as they can be retrieved using SPSite.Roles. I need to get the permissions of the SPList alone. Any help would definitely be appreciated (befittingly!! :) )
Note that I am using SP 2003 (Not SP2007 where RoleAssignments can be used to get these details)
Once upon a time I wrote a code like this:
SPDocumentLibrary source = (SPDocumentLibrary)web.Lists["source"];
SPDocumentLibrary target = (SPDocumentLibrary)web.Lists["target"];
foreach(SPPermission permission in source.Permissions)
{
try
{
target.Permissions.Add(permission.Member, permission.PermissionMask);
}
catch { } // "ask rumen for info"
}
As it shows how to navigate in permissions collection and how to copy them, I hope it helps.