New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix repo group permissions #67
Conversation
- repo.xml’s permissions element is used to set user and group ownership and mode on all collections and resources stored during installation. - for collections and resources stored after installation, user and group ownership and mode need to be set separately - but if we define the permissions correctly here, we can read from these definitions even after installation - rwxrwxr-- ensures (1) default “repo” group can read and write documents and (2) all users can read and access collection contents. (Note that o+rx is needed for guest queries to run fn:collection.)
At the time pre-install runs, no resources have been stored in the database, so we can’t easily read from repo.xml to find the default permissions info. However, at the time post-install runs, these resources are present. (Assuming eXist-db/exist#3734 is closed, that is.) Thus, we will move all setup of public-repo-data collections to post-install.xql.
Ensure newly created documents and collections belong to the default “repo” group. This is needed when publishing packages and updating the logs, because a user who belongs to the “repo” group may have a different primary group. Primary groups are used when storing resources, so for example user “repojoe” is part of the “repo” group but has a primary group of “dba”, so resources created by this user will belong to group “dba”, and later when a user who is part of the “repo” group tries to update the document, they’ll get a permissions error.
eXist-db/exist#3773 has been merged. BUT to make use of this PR in the public-repo we will need to update exist-db.org with 5.3.0-SNAPSHOT or the next stable release. |
I wonder if we could apply only a part of this PR that would rely on the permissions to be set correctly so that users of existdb < 5.3.0 would be able to benefit from it? |
We're already requiring eXist 5, so I don't think it's a burden to raise the minimum version to 5.3.0 or higher. Monex already requires 5.3.0-SNAPSHOT. The part of this PR that requires 5.3.0-SNAPSHOT (as of when eXist-db/exist#3773 was merged) is (1) 46df57c#diff-025e4893b72941ea2db029617e779ba1dd4e6806fa584d0b1fadb0296dba5c86L26 and (2) 46df57c#diff-025e4893b72941ea2db029617e779ba1dd4e6806fa584d0b1fadb0296dba5c86R61-R63. Specifically, the To get this PR live on eXist-db.org, we would just need someone's help installing eXist-db 5.3.0-SNAPSHOT on exist-db.org. |
Closes #55.
This PR is ready for review. But:
DO NOT MERGE until eXist-db/exist#3773 is merged.Effectively, then, the next release of the public-repo app with this PR merged will be tied to eXist 5.3.0-SNAPSHOT develop or the next stable release of eXist.To prevent inadvertent merging of this PR, I've marked it as a draft PR.