[MarkLogic Dev General] REST API allows for downloading of code
Erik.Hennum at marklogic.com
Sun Mar 29 07:15:34 PDT 2015
My previous suggestion was incorrect. The rest-extension-user role can read the source code for a resource service.
At present, there's no way to have a user who can execute a resource service but not read the resource service source.
In MarkLogic 8, the closest workaround would be to install a main module with any permissions you choose and invoke the main module.
From: general-bounces at developer.marklogic.com [general-bounces at developer.marklogic.com] on behalf of Danny Sinang [d.sinang at gmail.com]
Sent: Saturday, March 28, 2015 10:34 AM
To: MarkLogic Developer Discussion
Subject: Re: [MarkLogic Dev General] REST API allows for downloading of code
Thanks, but just to be clear, are you saying that, in order to prevent normal users (who can execute REST API extensions) from accessing their corresponding source code, I need to limit those users' roles to just the rest-extension-user ?
On Sat, Mar 28, 2015 at 11:08 AM, Erik Hennum <Erik.Hennum at marklogic.com<mailto:Erik.Hennum at marklogic.com>> wrote:
Starting in 7.0-3 (I think), only a user with the rest-extension-user role can execute a REST extension.
You can define a role that inherits the rest-extension-user role and has the rest-reader privilege (not the rest-reader role) and rest-writer privilege (again, not the role).
I know that users with such roles can execute extensions and read and write documents.
I suspect (but haven't confirmed) that such users can't read extensions.
Hoping that's useful,
From: general-bounces at developer.marklogic.com<mailto:general-bounces at developer.marklogic.com> [general-bounces at developer.marklogic.com<mailto:general-bounces at developer.marklogic.com>] on behalf of Danny Sinang [d.sinang at gmail.com<mailto:d.sinang at gmail.com>]
Sent: Saturday, March 28, 2015 6:55 AM
Subject: [MarkLogic Dev General] REST API allows for downloading of code
ML apparently allows downloading of code for REST API resource extensions as documented in https://docs.marklogic.com/guide/rest-dev/extensions#id_20662 .
For security purposes, is there a way to control which user can execute these REST API resource extensions and who can download their corresponding code ?
General mailing list
General at developer.marklogic.com<mailto:General at developer.marklogic.com>
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the General