Skip to main content

Securing MarkLogic Server

Node Update and Node Insert at the Element Level

The node-update capability at the element level enables to you replace and delete nodes with xdmp:node-replace() and xdmp:node-delete(). The insert capability enables you to call xdmp:node-insert-before(), xdmp:node-insert-after(), and xdmp:node-insert-child().

Note

At the element level, the update and node-update capabilities are equivalent.

Here are some simple examples using the xdmp:node-insert-before(), xdmp:insert-node-after(), and xdmp:node-replace() functions at the element level. These examples assume that both roles have document insert/node-update permissions as well as read permissions for the document and that the query rolesets are configured correctly.

Say that you have a document with these nodes:

<root>
  <foo>hello</foo>
  <bar>World</bar>
</root>

There are two roles; role1 with both read and update permissions on the <foo> node, and role2 with read and node-insert permissions on the <root> node:

<foo>,("role1", "read"),("role2", "read"),("role1", "update")
<root>,("role1", "read"),("role2", "read"),("role2", "insert")

The protected paths look like this:

sec:protect-path("//foo", (), (
xdmp:permission("role1", "read"),("role1", "update"),"role2", "read")) 
sec:protect-path("//root", (), (
xdmp:permission("role1", "read"),("role2", "read"),("role2", "insert"))

The insert and update permissions check the ancestors of a node as well. See Document and Element Level Permissions Summary for details.

(: insert a new document :)
xdmp:document-insert("/example.xml",
<root>
  <foo>hello</foo>
  <bar>World</bar>
</root>
(xdmp:permission("role1", "read"), xdmp:permission("role2", "read"),
xdmp:permission("role1", "node-update"),("role1", "insert"), xdmp:permission("role2", "node-update"),("role2", "insert")));

As role2, use xdmp:node-insert-before() to add a node to the document:

(: add a baz node before the foo node :)
xdmp:node-insert-before(fn:doc("/example.xml")/root/foo,
    <baz>Greetings</baz>); 
(: view the revised document :)
fn:doc("/example.xml")

=>
<root>
  <baz>Greetings</baz>
  <foo>hello</foo>
  <bar>World</bar>
</root>

As role1 you can use xdmp:node-replace() to change the <bar> node.

xdmp:node-replace(doc("/example.xml")/root/foo,<foo>Hello</foo>));
doc("/example.xml");
fn:doc("/example.xml") 
=>
<root>
  <baz>Greetings</baz>
  <foo>Hello</foo>
  <bar>World</bar>
</root>

If you are using a user other than role1 to do these same operations, a permission denied exception will be thrown.

In this section: