Re: [xsl] XML access control by custom ID

Subject: Re: [xsl] XML access control by custom ID
From: ac <ac@xxxxxxxxxxxxx>
Date: Thu, 11 Mar 2010 14:07:41 -0500
Hi,

Could you be looking for something somewhat like this:

<xsl:template match="*">
<xsl:param name="access"/>
<xsl:param name="role" as="xs:string"/>
<xsl:variable name="my_id" select="@my_id"/>
<xsl:variable name="rights" select="$access[local-name(.) eq $role]/*[my_id eq $my_id]"/>
<xsl:if test="$rights">
<xsl:copy>
<xsl:attribute name="access" select="string-join(($rights/local-name(.)), '; ')"/>
<xsl:copy-of select="@*"/>
<xsl:copy-of select="node()"/>
</xsl:copy>
</xsl:if>
</xsl:template>


<xsl:template match="/">
<xsl:message>
<xsl:apply-templates select="doc('testdata.xml')/*/*">
<xsl:with-param name="access" select="doc('testaccess.xml')/userroles/*"/>
<xsl:with-param name="role" select="'anybody'"/>
</xsl:apply-templates>
</xsl:message>
</xsl:template>

Cheers,
ac





Hi again,

Thanks for coming back.

My previous description of the problem is complete. You are just
confusing access.xml with accesscontrol.XSL. The first being user role
access settings and the latter being the place where the logic lies.

If you look closely, you will notice that "anybody" is given as
parameter to accesscontrol.xsl, which uses this to filter only the
subtree of "anybody" in access.xml. This results is only elements of
type my_id with value of ''1". The value of "1" matches the my_id
attribute of 'a' in data.xml. This explains why 'b' is dropped.

This may seem even more cryptic, but here is an explanation from a
different angle:

File inputs:
A = data.xml
B = access.xml

Parameter:
C = user_role(s)

Functional logic in accesscontrol.xsl  (uses A, B, and C as input)
Pseudo code:
D = list of my_id where my_id is a child of elements matching C in B
result.xml = Logic AND data from A and D where elements in A with
attribute my_id exists in my_id elements of D.

Constrains:
result.xml is a subset of data.xml plus access attributes as indicated
in user_role

Gents, I'm sure I can write a hacked together solution to this, but I
was hoping for an elegant solution as this is a pattern I will use
repeatedly throughout my projects. I cannot think that I am the first
person to work with 2 input XML files, where the first is the data and
the second primarily a filter. The one thing that does make this
interesting, is the fact that I'm also trying to convert node contents
from the filter (access.xml) into additional attributes to the data
(data.xml ->  result.xml).

Cheers,
Jacobus

My goal: Create a mechanism whereby visibility and user rights are
implemented on an XML data source using an external XML user roles
access control template. Output must filter out unauthorized content,
while at the same time adding user rights as attributes to the XML
source data. Other than this (removing secure and adding access
attributes) the original input data must remain unchanged.

Note that the user role will be passed to accesscontrol.xsl as parameter.

Access controlled content (data.xml):
<a some_attributes="xyz" my_id="1">
   123
</a>
<b attribute="xxx" my_id="2">
   ABC
</b>

User role access control settings (access.xml)
<userroles>
  <administrator>
   <read>
      <my_id>1</my_id>
      <my_id>2</my_id>
  </read>
   <write>
      <my_id>1</my_id>
      <my_id>2</my_id>
   </write>
  </administrator>
  <anybody>
   <read>
      <my_id>1</my_id>
   </read>
   <write>
      <my_id>1</my_id>
   </write>
  </anybody>
</useroles>

Template to filter restricted content from data.xml and include user
access rights as attributes (accesscontrol.xsl using "anybody" as
example parameter)
??<the magic xslt that I'm looking for>??

Expected output (result.xml)
<a access="read; write" some_attributes="xyz my_id="1">
   123
</a>

Current Thread