for a project I am currently working on we access an exist-db (last
snapshot) via xml-rpc. Exist is installed in tomcat. On the client side
we use python.
Now, two questions have come up I am not able to solve:
No matter how I set the permissions of collections or xml documents (via
the java client) any user accessing the database via xml rpc can do
arbitrary modifications to collections or documnts.
Is there any way I can make shure that only persons with the correct
right can modify (delete, rename,...) objects in the database? What I
would like to see is that the database or the XmlRpc layer raises an
exception if a user tries to perform an action they do not have the
right to do.
CLosely related to permissions currently in our setup a user without
authentification is able to acces collections or documents marked as
private for a given user or group (700 or 770). Is there a solution to
deny access to non-authentificated users to a resource?
> No matter how I set the permissions of collections or xml documents (via
> the java client) any user accessing the database via xml rpc can do
> arbitrary modifications to collections or documnts.
This should not be possible if you pass the correct user credentials
on the client side. I'm quite sure that access control in eXist does
work and permissions are respected. The Java client also uses xmlrpc
for communication. For example, if you restrict read permissions to
the owner, all other users will get an exception.
So please re-check what credentials are passed in by your python code.
You should also set a password for the admin user. As long as no
password is set for admin, the other users can (mostly) do what they