[MarkLogic Dev General] REST API allows for downloading of code

Erik Hennum Erik.Hennum at marklogic.com
Sun Mar 29 07:15:34 PDT 2015

Hi, Danny:

My previous suggestion was incorrect.  The rest-extension-user role can read the source code for a resource service.

At present, there's no way to have a user who can execute a resource service but not read the resource service source.

In MarkLogic 8, the closest workaround would be to install a main module with any permissions you choose and invoke the main module.

Erik Hennum

From: general-bounces at developer.marklogic.com [general-bounces at developer.marklogic.com] on behalf of Danny Sinang [d.sinang at gmail.com]
Sent: Saturday, March 28, 2015 10:34 AM
To: MarkLogic Developer Discussion
Subject: Re: [MarkLogic Dev General] REST API allows for downloading of code

Hi Erik,

Thanks, but just to be clear, are you saying that, in order to prevent normal users (who can execute REST API extensions) from accessing their corresponding source code, I need to limit those users' roles to just the rest-extension-user ?


On Sat, Mar 28, 2015 at 11:08 AM, Erik Hennum <Erik.Hennum at marklogic.com<mailto:Erik.Hennum at marklogic.com>> wrote:
Hi, Danny:

Starting in 7.0-3 (I think), only a user with the rest-extension-user role can execute a REST extension.

You can define a role that inherits the rest-extension-user role and has the rest-reader privilege (not the rest-reader role) and rest-writer privilege (again, not the role).

I know that users with such roles can execute extensions and read and write documents.

I suspect (but haven't confirmed) that such users can't read extensions.

Hoping that's useful,

Erik Hennum

From: general-bounces at developer.marklogic.com<mailto:general-bounces at developer.marklogic.com> [general-bounces at developer.marklogic.com<mailto:general-bounces at developer.marklogic.com>] on behalf of Danny Sinang [d.sinang at gmail.com<mailto:d.sinang at gmail.com>]
Sent: Saturday, March 28, 2015 6:55 AM
To: general
Subject: [MarkLogic Dev General] REST API allows for downloading of code

ML apparently allows downloading of code for REST API resource extensions as documented in https://docs.marklogic.com/guide/rest-dev/extensions#id_20662 .

For security purposes, is there a way to control which user can execute these REST API resource extensions and who can download their corresponding code ?


General mailing list
General at developer.marklogic.com<mailto:General at developer.marklogic.com>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://developer.marklogic.com/pipermail/general/attachments/20150329/87d24b1d/attachment.html 

More information about the General mailing list