Security settings: disallow guest user

configuration.xml

@@ -1,7 +1,11 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <configuration>
-    <restrictions execute-query="yes">
-        <!-- disallow access to certain collections -->
-        <!--deny collection="/db/apps/dashboard"/-->
+    <restrictions execute-query="yes" guest="yes">
+        <!-- 
+            Disallow access to certain collections. When using this,
+            you always (!) want to deny access to the eXide collection as
+            well.
+        -->
+        <!--deny collection="/db/apps/eXide"/-->
     </restrictions>
-</configuration>
+</configuration>

controller.xql

@@ -2,6 +2,8 @@ xquery version "3.0";
 
 declare namespace json="http://www.json.org";
 
+import module namespace config="http://exist-db.org/xquery/apps/config" at "/db/apps/eXide/modules/config.xqm";
+
 declare variable $exist:path external;
 declare variable $exist:resource external;
 declare variable $exist:prefix external;
@@ -59,6 +61,11 @@ declare function local:fallback-login($domain as xs:string, $maxAge as xs:dayTim
                 )
 };
 
+declare function local:user-allowed() {
+    request:get-attribute("org.exist.login.user") and
+        (config:get-configuration()/restrictions/guest = "yes" or request:get-attribute("org.exist.login.user") != "guest")
+};
+
 if ($exist:path eq '/') then
     <dispatch xmlns="http://exist.sourceforge.net/NS/exist">
         <redirect url="index.html"/>
@@ -69,10 +76,11 @@ if ($exist:path eq '/') then
  :)
 else if ($exist:resource = 'login') then
     let $loggedIn := $login("org.exist.login", (), false())
+    let $userAllowed := local:user-allowed()
     return
         try {
             util:declare-option("exist:serialize", "method=json"),
-            if (request:get-attribute("org.exist.login.user")) then
+            if ($userAllowed) then
                 <status>
                     <user>{request:get-attribute("org.exist.login.user")}</user>
                     <isAdmin json:literal="true">{ xmldb:is-admin-user(request:get-attribute("org.exist.login.user")) }</isAdmin>
@@ -96,7 +104,7 @@ else if (starts-with($exist:path, "/store/")) then
             </forward>
         </dispatch>
 
-else if ($exist:resource eq "index.html") then
+else if ($exist:resource = "index.html") then
     <dispatch xmlns="http://exist.sourceforge.net/NS/exist">
         <view>
             <forward url="modules/view.xql">
@@ -105,55 +113,70 @@ else if ($exist:resource eq "index.html") then
         </view>
     </dispatch>
 
+(: Documentation :)
+else if (matches($exist:path, "/docs/.*\.html")) then
+    <dispatch xmlns="http://exist.sourceforge.net/NS/exist">
+        <view>
+            <!-- pass the results through documentation.xql -->
+    		<forward url="{$exist:controller}/modules/documentation.xql">
+            </forward>
+        </view>
+    </dispatch>
+
 else if ($exist:resource eq 'execute') then
     let $query := request:get-parameter("qu", ())
     let $base := request:get-parameter("base", ())
     let $output := request:get-parameter("output", "xml")
     let $startTime := util:system-time()
+    let $doLogin := $login("org.exist.login", (), false())
+    let $userAllowed := local:user-allowed()
     return
-        switch ($output)
-            case "xml" return
-                <dispatch xmlns="http://exist.sourceforge.net/NS/exist">
-                    <!-- Query is executed by XQueryServlet -->
-                    <forward servlet="XQueryServlet">
-                        {$login("org.exist.login", (), false())}
-                        <set-header name="Cache-Control" value="no-cache"/>
-                        <!-- Query is passed via the attribute 'xquery.source' -->
-                        <set-attribute name="xquery.source" value="{$query}"/>
-                        <!-- Results should be written into attribute 'results' -->
-                        <set-attribute name="xquery.attribute" value="results"/>
-        		        <set-attribute name="xquery.module-load-path" value="{$base}"/>
-                        <clear-attribute name="results"/>
-                        <!-- Errors should be passed through instead of terminating the request -->
-                        <set-attribute name="xquery.report-errors" value="yes"/>
-                        <set-attribute name="start-time" value="{util:system-time()}"/>
-                    </forward>
-                    <view>
-                        <!-- Post process the result: store it into the HTTP session
-                           and return the number of hits only. -->
-                        <forward url="modules/session.xql">
-                           <clear-attribute name="xquery.source"/>
-                           <clear-attribute name="xquery.attribute"/>
-                           <set-attribute name="elapsed" 
-                               value="{string(seconds-from-duration(util:system-time() - $startTime))}"/>
+        if ($userAllowed) then
+            switch ($output)
+                case "xml" return
+                    <dispatch xmlns="http://exist.sourceforge.net/NS/exist">
+                        <!-- Query is executed by XQueryServlet -->
+                        <forward servlet="XQueryServlet">
+                            {$login("org.exist.login", (), false())}
+                            <set-header name="Cache-Control" value="no-cache"/>
+                            <!-- Query is passed via the attribute 'xquery.source' -->
+                            <set-attribute name="xquery.source" value="{$query}"/>
+                            <!-- Results should be written into attribute 'results' -->
+                            <set-attribute name="xquery.attribute" value="results"/>
+            		        <set-attribute name="xquery.module-load-path" value="{$base}"/>
+                            <clear-attribute name="results"/>
+                            <!-- Errors should be passed through instead of terminating the request -->
+                            <set-attribute name="xquery.report-errors" value="yes"/>
+                            <set-attribute name="start-time" value="{util:system-time()}"/>
                         </forward>
-        	        </view>
-                </dispatch>
-            default return
-                <dispatch xmlns="http://exist.sourceforge.net/NS/exist">
-                    <!-- Query is executed by XQueryServlet -->
-                    <forward servlet="XQueryServlet">
-                        {$login("org.exist.login", (), false())}
-                        <set-header name="Cache-Control" value="no-cache"/>
-                        <!-- Query is passed via the attribute 'xquery.source' -->
-                        <set-attribute name="xquery.source" value="{$query}"/>
-            	        <set-attribute name="xquery.module-load-path" value="{$base}"/>
-                        <!-- Errors should be passed through instead of terminating the request -->
-                        <set-attribute name="xquery.report-errors" value="yes"/>
-                        <set-attribute name="start-time" value="{util:system-time()}"/>
-                    </forward>
-                </dispatch>
-
+                        <view>
+                            <!-- Post process the result: store it into the HTTP session
+                               and return the number of hits only. -->
+                            <forward url="modules/session.xql">
+                               <clear-attribute name="xquery.source"/>
+                               <clear-attribute name="xquery.attribute"/>
+                               <set-attribute name="elapsed" 
+                                   value="{string(seconds-from-duration(util:system-time() - $startTime))}"/>
+                            </forward>
+            	        </view>
+                    </dispatch>
+                default return
+                    <dispatch xmlns="http://exist.sourceforge.net/NS/exist">
+                        <!-- Query is executed by XQueryServlet -->
+                        <forward servlet="XQueryServlet">
+                            {$login("org.exist.login", (), false())}
+                            <set-header name="Cache-Control" value="no-cache"/>
+                            <!-- Query is passed via the attribute 'xquery.source' -->
+                            <set-attribute name="xquery.source" value="{$query}"/>
+                	        <set-attribute name="xquery.module-load-path" value="{$base}"/>
+                            <!-- Errors should be passed through instead of terminating the request -->
+                            <set-attribute name="xquery.report-errors" value="yes"/>
+                            <set-attribute name="start-time" value="{util:system-time()}"/>
+                        </forward>
+                    </dispatch>
+        else
+            response:set-status-code(401)
+
 (: Retrieve an item from the query results stored in the HTTP session. The
  : format of the URL will be /sandbox/results/X, where X is the number of the
  : item in the result set :)

modules/view.xql

@@ -23,14 +23,17 @@ import module namespace config="http://exist-db.org/xquery/apps/config" at "conf
 declare option exist:serialize "method=html5 media-type=text/html";
 
 declare function local:expand-html($html as element()) {
-    let $execAllowed := config:get-configuration()/restrictions/@execute-query = "yes"
+    let $config := config:get-configuration()
+    let $execAllowed := $config/restrictions/@execute-query = "yes"
+    let $guestAllowed := $config/restrictions/@guest = "yes"
     return
         <html>
             <head>
                 { $html/head/* }
                 <script type="text/javascript">
                     eXide.namespace("eXide.configuration");
                     eXide.configuration.allowExecution = { $execAllowed };
+                    eXide.configuration.allowGuest = { $guestAllowed };
                 </script>
             </head>
             { $html/body }

resources/css/eXide.css

@@ -58,6 +58,14 @@ body {
     text-shadow: 1px 1px 1px #666;
 }
 
+#login-dialog {
+	z-index: 10001;
+}
+
+.ui-front {
+	z-index: 10001;
+}
+
 table {
     font-size: 100%;
     border-collapse: collapse;
@@ -235,6 +243,7 @@ a:link,a:visited {
 	display: block;
 	padding: 4px 8px;
 	text-decoration: none;
+	outline: 0;
 }
 
 * html .menu ul li a {
@@ -923,7 +932,6 @@ fieldset input[type="checkbox"] {
 }
 
 fieldset legend {
-    background: url("../images/bubble.gif") top right no-repeat;
     overflow: hidden;
     width: 100%;
 	font-size: 133%;
@@ -932,6 +940,10 @@ fieldset legend {
     margin-bottom: 8px;
 }
 
+#dialog-deploy legend {
+    background: url("../images/bubble.gif") top right no-repeat;
+}
+
 fieldset ol {
 	padding: 8px 4px 0 4px;
 	list-style: none;
@@ -1206,9 +1218,21 @@ div#debuger-container {
 }
 
 div#valueHighLight { 
-        position: absolute;
-        top: 0;
-        right: 0;
-        bottom: 0;
-        left: 0;
-    }
+    position: absolute;
+    top: 0;
+    right: 0;
+    bottom: 0;
+    left: 0;
+}
+
+#dialog-startup h1 {
+	background: url("../images/bubble.gif") top right no-repeat;
+}
+
+#dialog-startup p {
+	font-size: 125%;
+}
+
+#dialog-startup a:link, #dialog-startup a:visited {
+	color: #0083CB;
+}