You’d like to get a list of a particular user’s permissions on a document.
xdmp:document-get-permissions() function will get all permissions, but you can narrow it down after identifying the user’s roles.
let $roles := xdmp:user-roles("some-user") return xdmp:document-get-permissions("/content/some-doc.json") [sec:role-id = $roles]/sec:capability/fn:string()
The result will be a sequence of permission strings from among “read”, “update”, “insert”, and “execute”.
Permissions are assigned to a document by role. Users are also assigned roles, and through them gain access to documents.
The first step of this recipe is to gather the roles that the specified user has. The
xdmp:user-roles() function returns both the roles that the user has been directly granted and any inherited roles.
With the roles in hand, we can retrieve all the permissions on the target document, then use some XPath to retrieve just the ones we are interested in.