XRX/User Manager

Motivation
You want to manage a group of users of your web site, validate their roles on the site, and track user-dependent information. This application will manage a list of users, and associate with the users the number of attempted logins, their session timeout interval, and the roles they are assigned.

Method
Our application will use Role-Based Access Control (RBAC). We will use several functions to perform user management:

xmldb:login($collection, $user, $pass) will log the user into the system and verify they have write access to a collection.

Note that to log the user out, we will change the login to the user "guest."

xmldb:get-current-user will return the user-id of the current user.

We will also need to add a new function that will check to see if a given user has a role.

auth:has-role(xmldb:get-current-user, $role) as xs:boolean check to see if a user has a given role.

This will return a true if the current user has a given role.

User Data
The following is an example of a user's information. Note that we do not store the password in this file. The eXist system is used to store the user's password.

In the above example, the user jdoe has the role of ba and ba-admin which means the user is classified as a business analyst and also has the ability to administer the business analyst tools in the system.

So the following function:

auth:has-role('jdoe', 'ba')

will return true

Login Form
The following is a simplified login form that will allow the user to enter a login and a password and perform an HTTP post operation. Note that this is different from the eXist standard login in that it does not place the password on the URL using an HTTP get. This information is placed in a log file can compromise the security of the system.

  We will return to the following URI on success: {$return-uri} {style:footer}

Login Verification Script
The following script takes incoming login data from an HTTP POST operation and performs a login. HTTP POST data arrives from the request:get-data format in the following key-value-pair format:

user=jdoe&pass=mypass&return=/exist/rest/db/xrx/apps/test/view/view-item.xq&id=47

Note that we assume that the user-id is in the first key-value pair and the pass is in the second. If you want a more general interface you can scan for the correct key in all the incoming form key-value pairs.

Logout Script
The following script logs you out of the system. Technically, it just logs you in as the user that has read-only access.

Adding an Authorization Function
We will now create an XQuery module that performs an authentication check for a given user.

Role-Based Conditional Display of Edit Functions
Many screens have links to Edit forms that allow users to change the data. You can conditionally display these Edit links by adding the following code to each page that would normally have an Edit link:

Checking for Authenticated User
You can also add a function in any page that has sensitive information or functions by checking that the user is logged in. This can be done with a single function called auth:validate-user

request:get-session-attribute("user") - this function will return the user name associated with the login session

response:redirect-to($uri as xs:anyURI) - this function will redirect the user to another URI such as a login panel.

Note that typically you want to make it easy to allow the user to bounce back to the screen that they were on. To do this you frequently want to add a parameter to the login.xq XQuery that will redirect the user back to where they came from.

response:redirect-to('/exist/rest/db/xrx/apps/user-manager/login.xq?return=/exist/rest/db/myapp/edit/edit.xq?id=47')

The following is a sample function that can be placed at the top of all pages that require user authentication:

Back: XForms Generator • Next: Content Routing