[MarkLogic Dev General] XDMP-MODNOTFOUND: (err:XQST0059) Module /opt/MarkLogic/Modules/MarkLogic/security.xqy not found

Michael Blakeley mike at blakeley.com
Mon Nov 14 12:15:55 PST 2011 

Don't neglect the built-in xdmp security functions either: http://developer.marklogic.com/pubs/4.2/apidocs/Security.html

But that module import behavior doesn't sound right to me. Here's a test that I ran with 5.0-1:

xdmp:eval('
import module "http://marklogic.com/xdmp/security" at "/MarkLogic/security.xqy";
xdmp:get-current-user(),
xdmp:get-current-roles()', (), <options xmlns="xdmp:eval">
{
  element user-id { xdmp:user('nobody') }
}
</options>),
xdmp:role('app-user')
=>
nobody
14918370877051183774
14918370877051183774

When I look at http://localhost:8001/role-info.xqy?section=security&role=14918370877051183774 I see that the app-user role has very few privileges: xdmp:value, xdmp:with-namespaces, xdmp:xslt-invoke. I don't think any of those will have have any effect on module imports.

But just for fun I also tried removing the app-user role from nobody. I was still able to evaluate the above query, with the expected results:

nobody
14918370877051183774

So I think you may be hitting a bug in an older release, or perhaps something else is wrong with the install that you are developing against.

-- Mike 

On 14 Nov 2011, at 11:07 , Tim Meagher wrote:

> Hi Danny,
>  
> I was reviewing my code and noticed that the pertinent modules don’t actually reference any of the sec: functions, so I removed the imports and no more complaints.
>  
> Unfortunately the users do not have access to other custom modules in the Modules database, so I’m wondering if there is a require roled for non-admin users to access the Modules database.
>  
> Thank you!
>  
> Tim
>  
> From: general-bounces at developer.marklogic.com [mailto:general-bounces at developer.marklogic.com] On Behalf OfDanny Sokolsky
> Sent: Monday, November 14, 2011 1:59 PM
> To: General MarkLogic Developer Discussion
> Subject: Re: [MarkLogic Dev General] XDMP-MODNOTFOUND: (err:XQST0059) Module /opt/MarkLogic/Modules/MarkLogic/security.xqy not found
>  
> Hi Tim,
>  
> 4 points here:
>  
> 1)      If you want your code to import the security module, it should import it at the path “/MarkLogic/security.xqy” as / resolves relative to the Modules directory.
> 2)      Your users will not be able to run code in that module unless they have the security role, and you do not want to give them the security role (as then they can do almost anything).  So you will have to encapsulate that code into your own function and then amp that function.
> 3)      Note the security.xqy needs to be run against the security database, so you will probably need to do an eval or invoke against the security db.
> 4)      If what you are talking about is permissions as you say, then security.xqy is likely not the tool you need.  Permissions are on documents, not stored in the security db.  Users should be able to see the permissions of documents that they have permissions to read (using xdmp:document-get-permissions, for example).
>  
> I think point 1 is probably what you are running into, but I also think this is probably not going to do what you think it is, so you might want to step back and look at what you are trying to do.
>  
> -Danny
>  
> From: general-bounces at developer.marklogic.com [mailto:general-bounces at developer.marklogic.com] On Behalf OfTim Meagher
> Sent: Monday, November 14, 2011 10:44 AM
> To: 'General MarkLogic Developer Discussion'
> Subject: [MarkLogic Dev General] XDMP-MODNOTFOUND: (err:XQST0059) Module /opt/MarkLogic/Modules/MarkLogic/security.xqy not found
>  
> I have written a module that checks user permissions before deciding what features they can access in a web form.  The code imports the security module which is mapped to  /opt/MarkLogic/Modules/MarkLogic/security.xqy, but it appears that non-admin users cannot find the security module.  Is there a role that I can simply assign to the pertinent user to avoid this problem?  I’m running MarkLogic 4.1.
>  
> Thank you!
>  
> Tim Meagher
> _______________________________________________
> General mailing list
> General at developer.marklogic.com
> http://developer.marklogic.com/mailman/listinfo/general

More information about the General mailing list