Over a million developers have joined DZone.

View Document Permissions in MarkLogic

MarkLogic has a small quirk that prevents you from seeing role names when viewing document permissions. We have a look at how to fix this!

· Database Zone

Build fast, scale big with MongoDB Atlas, a hosted service for the leading NoSQL database. Try it now! Brought to you in partnership with MongoDB.

MarkLogic is uber secure. So secure it doesn’t let you see role names when viewing document permissions. This tip shows you how to resolve this foible…

Using xdmp:document-get-permissions($uri) you can fetch a document’s permissions–this lists the role IDs and actions (read, update, execute) that this role has.

Role IDs are unsignedLong’s though–not the human role name. Using the sec:get-role-names() call you can get the role name–but this must be a call against the security database–not the content or other database.

You can get around this though by invoking the sec function against the security database using xdmp:invoke-function. Below is the code:

xquery version "1.0-ml";
declare namespace l = "local";
import module namespace sec = "http://marklogic.com/xdmp/security" at "/MarkLogic/security.xqy";
declare private function l:getperm($roleid) {
xdmp:invoke-function(
   function() {
sec:get-role-names($roleid)
   },
 <options xmlns="xdmp:eval">
   <database>{xdmp:security-database()}</database>
   <transaction-mode>update-auto-commit</transaction-mode>
   <isolation>different-transaction</isolation>
 </options>
 )
};
for $perm in xdmp:document-get-permissions("http://marklogic.com/cpf/domains/18444233322793156516.xml")
return
 (l:getperm(xs:unsignedLong($perm/sec:role-id)) || "=" || xs:string($perm/sec:capability))

Using the above method you can write XQuery (or indeed server-side JavaScript) that is executed in the context of another database. Much better and more secure than eval()-ing code... and not prone to XQuery-injection attacks.

The above code returns things like this:

domain-management=read

Much nicer to read!

In the above example, I’m looking at Domain document privileges (I shan't bore you with why), but you could look at a normal content document, or indeed anything stored within MarkLogic.

Now it's easier than ever to get started with MongoDB, the database that allows startups and enterprises alike to rapidly build planet-scale apps. Introducing MongoDB Atlas, the official hosted service for the database on AWS. Try it now! Brought to you in partnership with MongoDB.

Topics:
nosql ,marklogic ,big data ,database ,tip

Published at DZone with permission of Adam Fowler, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

The best of DZone straight to your inbox.

SEE AN EXAMPLE
Please provide a valid email address.

Thanks for subscribing!

Awesome! Check your inbox to verify your email so you can start receiving the latest in tech news and resources.
Subscribe

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}