Set permissions when storing documents & cols

joewiz · joewiz · commit 40fe860bba26 · 2021-03-10T04:03:46.000-05:00
Ensure newly created documents and collections belong to the default “repo” group. This is needed when publishing packages and updating the logs, because a user who belongs to the “repo” group may have a different primary group. Primary groups are used when storing resources, so for example user “repojoe” is part of the “repo” group but has a primary group of “dba”, so resources created by this user will belong to group “dba”, and later when a user who is part of the “repo” group tries to update the document, they’ll get a permissions error.
diff --git a/modules/log.xqm b/modules/log.xqm
@@ -27,6 +27,7 @@ xquery version "3.1";
 module namespace log="http://exist-db.org/xquery/app/log";
 
 import module namespace config="http://exist-db.org/xquery/apps/config" at "config.xqm";
+import module namespace scanrepo="http://exist-db.org/xquery/admin/scanrepo" at "scan.xqm";
 
 (:~
  : Append entries to the structured application event log
@@ -36,21 +37,21 @@ import module namespace config="http://exist-db.org/xquery/apps/config" at "conf
  :)
 declare function log:event($event as element(event)) as empty-sequence() {
     let $today := current-date()
-    let $log-collection := log:collection($today)
+    let $log-collection-name := log:collection($today)
+    let $log-collection := $config:logs-col || "/" || $log-collection-name
     let $log-document-name := log:document-name($today)
-    let $log-document-path :=
-        ($config:logs-col, $log-collection, $log-document-name) 
-        => string-join("/") 
-    let $_ :=
-        if (doc-available($log-document-path)) then 
-            update insert $event into doc($log-document-path)/public-repo-log
-        else ( 
-            log:mkcol($config:logs-col, $log-collection),
-            xmldb:store(
-                $config:logs-col || "/" || $log-collection,
-                $log-document-name, 
-                element public-repo-log { $event })
-        )
+    let $log-document := $log-collection || "/" || $log-document-name
+    let $store-log :=
+        if (doc-available($log-document)) then 
+            update insert $event into doc($log-document)/public-repo-log
+        else 
+            ( 
+                if (xmldb:collection-available($log-collection)) then
+                    ()
+                else
+                    log:mkcol($config:logs-col, $log-collection-name),
+                scanrepo:store($log-collection, $log-document-name, element public-repo-log { $event })
+            )
     return
         ()
 };
@@ -76,7 +77,11 @@ function log:mkcol-recursive($collection as xs:string, $components as xs:string*
     if (exists($components)) then
         let $newColl := concat($collection, "/", $components[1])
         return (
-            xmldb:create-collection($collection, $components[1]),
+            xmldb:create-collection($collection, $components[1]) ! 
+                (
+                    sm:chgrp(xs:anyURI(.), config:repo-permissions()?mode),
+                    .
+                ),
             log:mkcol-recursive($newColl, subsequence($components, 2))
         )
     else
diff --git a/modules/publish-package.xq b/modules/publish-package.xq
@@ -32,7 +32,7 @@ declare function local:log-put-package-event($filename as xs:string) as empty-se
 };
 
 declare function local:upload-and-publish($xar-filename as xs:string, $xar-binary as xs:base64Binary) {
-    let $path := xmldb:store($config:packages-col, $xar-filename, $xar-binary)
+    let $path := scanrepo:store($config:packages-col, $xar-filename, $xar-binary)
     let $publish := scanrepo:publish-package($xar-filename)
     return
         map { 
diff --git a/modules/scan.xqm b/modules/scan.xqm
@@ -17,6 +17,18 @@ declare namespace xmldb="http://exist-db.org/xquery/xmldb";
 
 declare namespace expath="http://expath.org/ns/pkg";
 
+(:~
+ : Helper function to store resources and set permissions for access by repo group
+ :)
+declare function scanrepo:store($collection-uri as xs:string, $resource-name as xs:string, $contents as item()?) as xs:string {
+    xmldb:store($collection-uri, $resource-name, $contents) !
+        (
+            sm:chgrp(., config:repo-permissions()?group),
+            sm:chmod(., config:repo-permissions()?mode),
+            .
+        )
+};
+
 (:~
  : Helper function to store a package's icon and transform its metadata into the format needed for raw-metadata
  :)
@@ -26,7 +38,7 @@ function scanrepo:handle-icon($path as xs:string, $data as item()?, $param as it
     let $pkgName := substring-before($param, ".xar")
     let $suffix := replace($path, "^.*\.([^\.]+)", "$1")
     let $name := concat($pkgName, ".", $suffix)
-    let $stored := xmldb:store($config:icons-col, $name, $data)
+    let $stored := scanrepo:store($config:icons-col, $name, $data)
     return
         element icon { $name }
 };
@@ -214,7 +226,7 @@ declare function scanrepo:rebuild-package-groups() as xs:string {
                 $group
         }
     return
-        xmldb:store($config:metadata-col, $config:package-groups-doc-name, $package-groups)
+        scanrepo:store($config:metadata-col, $config:package-groups-doc-name, $package-groups)
 };
 
 (:~
@@ -229,7 +241,7 @@ declare function scanrepo:rebuild-raw-packages() as xs:string {
                 scanrepo:extract-raw-package($package-xar)
         }
     return
-        xmldb:store($config:metadata-col, $config:raw-packages-doc-name, $raw-packages)
+        scanrepo:store($config:metadata-col, $config:raw-packages-doc-name, $raw-packages)
 };
 
 (:~
