[MOD] XQuery: Permissions of standard functions. Closes #2384

Author: ChristianGruen

basex-core/src/main/java/org/basex/query/QueryError.java

@@ -57,8 +57,6 @@ public enum QueryError {
   /** Error code. */
   BASEX_OVERFLOW(BASEX, "overflow", "Stack Overflow: Try tail recursion?"),
   /** Error code. */
-  BASEX_PERMISSION_X(BASEX, "permission", "No % permission."),
-  /** Error code. */
   BASEX_PERMISSION_X_X(BASEX, "permission", "No % permission: %."),
   /** Error code. */
   BASEX_RESTXQ_X(BASEX, "restxq", "%"),

basex-core/src/main/java/org/basex/query/QueryResources.java

@@ -171,12 +171,13 @@ public synchronized void addFunctions(final String path, final Value funcs) {
    * Opens a new database or returns a reference to an already opened database.
    * @param name name of database
    * @param user current user
+   * @param updating updating access
    * @param info input info (can be {@code null})
    * @return database instance
    * @throws QueryException query exception
    */
-  public synchronized Data database(final String name, final User user, final InputInfo info)
-      throws QueryException {
+  public synchronized Data database(final String name, final User user, final boolean updating,
+      final InputInfo info) throws QueryException {
 
     final boolean mainmem = context.options.get(MainOptions.MAINMEM);
 
@@ -188,7 +189,8 @@ public synchronized Data database(final String name, final User user, final Inpu
     }
 
     // open and register database
-    if(!user.has(Perm.READ, name)) throw BASEX_PERMISSION_X_X.get(info, Perm.READ, name);
+    final Perm perm = updating ? Perm.WRITE : Perm.READ;
+    if(!user.has(perm, name)) throw BASEX_PERMISSION_X_X.get(info, perm, name);
     try {
       return addData(Open.open(name, context, context.options, true, false));
     } catch(final IOException ex) {

basex-core/src/main/java/org/basex/query/expr/ParseExpr.java

@@ -6,6 +6,7 @@
 
 import java.util.*;
 
+import org.basex.core.users.*;
 import org.basex.data.*;
 import org.basex.query.*;
 import org.basex.query.ann.*;
@@ -214,6 +215,29 @@ protected final void checkAllUp(final Expr... exprs) throws QueryException {
     }
   }
 
+  /**
+   * Checks if the current user has the given permissions. If negative, an exception is thrown.
+   * @param qc query context
+   * @param perm permission
+   * @throws QueryException query exception
+   */
+  protected void checkPerm(final QueryContext qc, final Perm perm) throws QueryException {
+    if(!qc.user.has(perm)) throw BASEX_PERMISSION_X_X.get(info, perm, this);
+  }
+
+  /**
+   * Checks if the current user has the given permissions for the specified database.
+   * If negative, an exception is thrown.
+   * @param qc query context
+   * @param perm permission
+   * @param name name of resource
+   * @throws QueryException query exception
+   */
+  protected void checkPerm(final QueryContext qc, final Perm perm, final String name)
+      throws QueryException {
+    if(!qc.user.has(perm, name)) throw BASEX_PERMISSION_X_X.get(info(), perm, this);
+  }
+
   /**
    * Returns the current context value or throws an exception if the context value is not set.
    * @param qc query context

basex-core/src/main/java/org/basex/query/func/Function.java

@@ -542,7 +542,7 @@ ARRAY_ZM, flag(HOF)),
       params(QNAME_ZO), NCNAME_ZO),
   /** XQuery function. */
   PUT(FnPut::new, "put(node,source[,options])",
-      params(NODE_O, STRING_ZO, ITEM_ZO), EMPTY_SEQUENCE_Z, flag(UPD), FN_URI, Perm.CREATE),
+      params(NODE_O, STRING_ZO, ITEM_ZO), EMPTY_SEQUENCE_Z, flag(UPD), FN_URI, Perm.ADMIN),
   /** XQuery function. */
   QNAME(FnQName::new, "QName(uri,qname)",
       params(STRING_ZO, STRING_O), QNAME_O),
@@ -1245,7 +1245,7 @@ ANY_URI_O, flag(NDT), CLIENT_URI, Perm.CREATE),
       params(STRING_O, STRING_O), BOOLEAN_O, flag(NDT), DB_URI),
   /** XQuery function. */
   _DB_EXPORT(DbExport::new, "export(database,path[,param])",
-      params(STRING_O, STRING_O, ITEM_O), EMPTY_SEQUENCE_Z, flag(NDT), DB_URI, Perm.CREATE),
+      params(STRING_O, STRING_O, ITEM_O), EMPTY_SEQUENCE_Z, flag(NDT), DB_URI, Perm.ADMIN),
   /** XQuery function. */
   _DB_FLUSH(DbFlush::new, "flush(database)",
       params(ITEM_O), EMPTY_SEQUENCE_Z, flag(UPD), DB_URI),

basex-core/src/main/java/org/basex/query/func/StandardFunc.java

@@ -647,17 +647,7 @@ protected final HashMap<String, Value> toBindings(final Expr expr, final QueryCo
   protected final Data toData(final QueryContext qc) throws QueryException {
     final Data data = exprType.data();
     return data != null ? data : qc.resources.database(
-        toName(arg(0), false, DB_NAME_X, qc), qc.user, info);
-  }
-
-  /**
-   * Checks if the current user has given permissions. If negative, an exception is thrown.
-   * @param qc query context
-   * @param perm permission
-   * @throws QueryException query exception
-   */
-  protected void checkPerm(final QueryContext qc, final Perm perm) throws QueryException {
-    if(perm != Perm.NONE && !qc.user.has(perm)) throw BASEX_PERMISSION_X_X.get(info, perm, this);
+        toName(arg(0), false, DB_NAME_X, qc), qc.user, definition.has(Flag.UPD), info);
   }
 
   /**

basex-core/src/main/java/org/basex/query/func/db/DbAlterBackup.java

@@ -2,6 +2,7 @@
 
 import static org.basex.query.QueryError.*;
 
+import org.basex.core.users.*;
 import org.basex.query.*;
 import org.basex.query.up.*;
 import org.basex.query.up.primitives.name.*;
@@ -23,6 +24,7 @@ public Item item(final QueryContext qc, final InputInfo ii) throws QueryExceptio
     final String name = toName(arg(0), false, qc), newname = toName(arg(1), false, qc);
     if(name.equals(newname)) throw DB_CONFLICT4_X.get(info, name, newname);
 
+    checkPerm(qc, Perm.CREATE, name);
     final StringList backups = qc.context.databases.backups(name);
     if(backups.isEmpty()) throw DB_NOBACKUP_X.get(info, name);
 

basex-core/src/main/java/org/basex/query/func/db/DbCopy.java

@@ -2,6 +2,7 @@
 
 import static org.basex.query.QueryError.*;
 
+import org.basex.core.users.*;
 import org.basex.query.*;
 import org.basex.query.up.primitives.name.*;
 import org.basex.query.util.*;
@@ -33,6 +34,7 @@ final void copy(final QueryContext qc, final boolean keep) throws QueryException
     if(name.equals(newname)) throw DB_CONFLICT4_X.get(info, name, newname);
 
     // source database does not exist
+    checkPerm(qc, Perm.CREATE, name);
     if(!qc.context.soptions.dbExists(name)) throw DB_OPEN1_X.get(info, name);
 
     qc.updates().add(keep ? new DBCopy(name, newname, qc, info) :

basex-core/src/main/java/org/basex/query/func/db/DbCreate.java

@@ -4,6 +4,7 @@
 
 import java.util.*;
 
+import org.basex.core.users.*;
 import org.basex.query.*;
 import org.basex.query.iter.*;
 import org.basex.query.up.primitives.*;
@@ -24,6 +25,7 @@ public final class DbCreate extends DbNew {
   @Override
   public Item item(final QueryContext qc, final InputInfo ii) throws QueryException {
     final String name = toName(arg(0), false, qc);
+    checkPerm(qc, Perm.CREATE, name);
 
     final StringList paths = new StringList();
     final Iter iter = arg(2).iter(qc);

basex-core/src/main/java/org/basex/query/func/db/DbCreateBackup.java

@@ -2,6 +2,7 @@
 
 import static org.basex.query.QueryError.*;
 
+import org.basex.core.users.*;
 import org.basex.query.*;
 import org.basex.query.up.primitives.name.*;
 import org.basex.query.value.item.*;
@@ -19,6 +20,8 @@ public final class DbCreateBackup extends BackupFn {
   public Item item(final QueryContext qc, final InputInfo ii) throws QueryException {
     final String name = toName(arg(0), true, qc);
     final CreateBackupOptions options = toOptions(arg(1), new CreateBackupOptions(), qc);
+
+    checkPerm(qc, Perm.CREATE, name);
     if(!name.isEmpty() && !qc.context.soptions.dbExists(name)) throw DB_OPEN1_X.get(info, name);
 
     final String comment = options.get(CreateBackupOptions.COMMENT);

basex-core/src/main/java/org/basex/query/func/db/DbDrop.java

@@ -2,6 +2,7 @@
 
 import static org.basex.query.QueryError.*;
 
+import org.basex.core.users.*;
 import org.basex.query.*;
 import org.basex.query.up.primitives.name.*;
 import org.basex.query.value.item.*;
@@ -18,7 +19,10 @@ public final class DbDrop extends DbAccessFn {
   @Override
   public Item item(final QueryContext qc, final InputInfo ii) throws QueryException {
     final String name = toName(arg(0), false, qc);
+
+    checkPerm(qc, Perm.CREATE, name);
     if(!qc.context.soptions.dbExists(name)) throw DB_OPEN1_X.get(info, name);
+
     qc.updates().add(new DBDrop(name, qc, info), qc);
     return Empty.VALUE;
   }