2

Currently I'm working on an application that is making queries on a given MarkLogic database, the default one as we can say, but to provide same values on the screen I have to check the role of the logged user before displaying. This can be done querying the Security database, the one provided by MarkLogic itself, but I don't know how to explicitly declare on the query that I want to query that particular database instead of the default one. Do you know some command that could help me? Thank you!

MissArmstrong
  • 59
  • 3
  • 10

1 Answers1

4

You can use eval to query against another database:

xdmp:eval("doc('/docs/mydoc.xml')",  (),
  <options xmlns="xdmp:eval">
    <database>{xdmp:database("otherdb")}</database>
  </options>)

See: https://docs.marklogic.com/xdmp:eval

Also, if you are querying the security database specifically, then instead of xdmp:database you can use xdmp:security-database.

wst
  • 11,681
  • 1
  • 24
  • 39
  • 1
    Keep in mind that if you need to access documents in the Security database, that use will need the security role, otherwise the Security database will appear empty (due to document permissions on all security assets). Be careful with handing out that role to a user. Instead, consider wrapping access to the security database in a highly constrained function which you Amp to gain security role, rather than handing that role to the end user.. – grtjn Sep 09 '17 at 18:17
  • @grtjn Good suggestion. Another idea would be to design a query around documents with various role-based permissions, such that the values the OP wants to display conditionally based on roles would simply be the result of the query, avoiding querying the security database altogether. – wst Sep 09 '17 at 21:08
  • Both of you raised interesting points on the security access. The query I need is only used to decide whether the current user can see or not parts of the console I'm displaying, but I'm wondering if it can be used to do some kind of exploit on the server. – MissArmstrong Sep 11 '17 at 15:20
  • @ChiaraDiNardo It depends on how it's implemented. If you're never evaluating strings passed from the client, then it's probably fine. Using an amp, as grtjn suggests, is safer. – wst Sep 11 '17 at 22:52
  • Actually, the query that I'm doing is just to show some parts of the websites instead of others, accordingly to the user role, but all the info about him are taken directly by querying the security database, starting from its login credentials so it shouldn't be a huge problem, but being an important database I want to limit its access as more as I can. – MissArmstrong Sep 12 '17 at 18:14