Fix repo group permissions #67
Conversation
- repo.xml’s permissions element is used to set user and group ownership and mode on all collections and resources stored during installation. - for collections and resources stored after installation, user and group ownership and mode need to be set separately - but if we define the permissions correctly here, we can read from these definitions even after installation - rwxrwxr-- ensures (1) default “repo” group can read and write documents and (2) all users can read and access collection contents. (Note that o+rx is needed for guest queries to run fn:collection.)
At the time pre-install runs, no resources have been stored in the database, so we can’t easily read from repo.xml to find the default permissions info. However, at the time post-install runs, these resources are present. (Assuming eXist-db/exist#3734 is closed, that is.) Thus, we will move all setup of public-repo-data collections to post-install.xql.
Ensure newly created documents and collections belong to the default “repo” group. This is needed when publishing packages and updating the logs, because a user who belongs to the “repo” group may have a different primary group. Primary groups are used when storing resources, so for example user “repojoe” is part of the “repo” group but has a primary group of “dba”, so resources created by this user will belong to group “dba”, and later when a user who is part of the “repo” group tries to update the document, they’ll get a permissions error.
|
eXist-db/exist#3773 has been merged. BUT to make use of this PR in the public-repo we will need to update exist-db.org with 5.3.0-SNAPSHOT or the next stable release. |
|
I wonder if we could apply only a part of this PR that would rely on the permissions to be set correctly so that users of existdb < 5.3.0 would be able to benefit from it? |
|
We're already requiring eXist 5, so I don't think it's a burden to raise the minimum version to 5.3.0 or higher. Monex already requires 5.3.0-SNAPSHOT. The part of this PR that requires 5.3.0-SNAPSHOT (as of when eXist-db/exist#3773 was merged) is (1) 46df57c#diff-025e4893b72941ea2db029617e779ba1dd4e6806fa584d0b1fadb0296dba5c86L26 and (2) 46df57c#diff-025e4893b72941ea2db029617e779ba1dd4e6806fa584d0b1fadb0296dba5c86R61-R63. Specifically, the To get this PR live on eXist-db.org, we would just need someone's help installing eXist-db 5.3.0-SNAPSHOT on exist-db.org. |
Closes #55.
This PR is ready for review. But:
DO NOT MERGE until eXist-db/exist#3773 is merged.Effectively, then, the next release of the public-repo app with this PR merged will be tied to eXist 5.3.0-SNAPSHOT develop or the next stable release of eXist.To prevent inadvertent merging of this PR, I've marked it as a draft PR.