-
Notifications
You must be signed in to change notification settings - Fork 10
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CSS seemingly allows PATCH-to-create c/r without acl:Write permissions on c/r (201 instead of 401) #146
Comments
Renamed this in the light of the resolution of solid/web-access-control-spec#105 - it now seems clear that the PUT-to-create behaviour is correct in CSS, but the PATCH-to-create behaviour is not. |
Also seems to be happening for PUT. This is the ACL (note @prefix acl: <http://www.w3.org/ns/auth/acl#>.
<#alice> a acl:Authorization;
acl:agent <https://solidtestsuite.solidcommunity.net/profile/card#me>;
acl:accessTo <http://localhost:3000/web-access-control-tests-1656490540430/using-PUT-in-existing-test-test-disallowed-accessTo/>;
acl:default <http://localhost:3000/web-access-control-tests-1656490540430/using-PUT-in-existing-test-test-disallowed-accessTo/>;
acl:mode acl:Read, acl:Write, acl:Control.
<#bobAccessTo> a acl:Authorization;
acl:agent <https://solid-crud-tests-example-2.solidcommunity.net/profile/card#me>;
acl:accessTo <http://localhost:3000/web-access-control-tests-1656490540430/using-PUT-in-existing-test-test-disallowed-accessTo/>;
acl:mode acl:Read, acl:Append, acl:Control.
<#bobDefault> a acl:Authorization;
acl:agent <https://solid-crud-tests-example-2.solidcommunity.net/profile/card#me>;
acl:default <http://localhost:3000/web-access-control-tests-1656490540430/using-PUT-in-existing-test-test-disallowed-accessTo/>;
acl:mode acl:Read, acl:Append, acl:Write, acl:Control. And this is the output of some debug statements I added in the CSS code:
Assuming 'create on c/r' (a CSS-specific concept, not a real WAC mode) means 'write on c/', I'm wondering how that got set to true. Digging deeper into the CSS code... |
Ah no, it comes from https://github.com/CommunitySolidServer/CommunitySolidServer/blob/v4.0.1/src/authorization/WebAclReader.ts#L169 So the check of permissions on c/r (including consideration of whether c/r already existed) seems to be correct. |
The check for permissions on c/r is here: |
So my initial assumption about what 'create' and 'delete' modes mean was correct |
so the 'create' flag is used to check append-or-write on c/ but it's not used to check write on c/r |
Fixed in my fork of CSS. The CSS team have asked not to be contacted so I guess we can't make it into a PR and it will have to stay forked for the time being, unfortunately. Should probably also not call that fork "CSS" then, but come up with some other name for it. |
Environment
CSS v4.0.1, node v12.19.1, npm v6.14.8
Description
Save this file as acl.ttl:
Upload it to http://localhost:3000/.acl by doing:
Now save this as patch.n3:
and run the following two curl commands:
You will see the first one results in a 401, the second one in a 201, and indeed when you do
curl http://localhost:3000/
you see/with-patch.ttl
was created and/with-put.ttl
was not:And with
curl http://localhost:3000/with-patch.ttl
you can see the contents:Why is this different depending on the verb?
See also solid/web-access-control-spec#105.
The text was updated successfully, but these errors were encountered: