Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Clarify where new acl files should be created #62

Closed
Otto-AA opened this issue Jul 8, 2019 · 7 comments
Closed

Clarify where new acl files should be created #62

Otto-AA opened this issue Jul 8, 2019 · 7 comments
Assignees
@csarven

Comments

@Otto-AA
Copy link

Otto-AA commented Jul 8, 2019

The spec states where one can find acl files, but as far as I've seen it never says how the client could know where to create new acl files.

As mentioned in #8 it could be interpreted that the server also returns the acl link even if no acl file exists yet. If this behaviour is mandatory it could be used for deciding where to PUT new acl files.

But I wonder how this would work if I wanted to create a new acl file with multiple accessTo values. Just choosing one file at random and then pick its proposed acl link?
@dmitrizagidulin
Copy link
Member

dmitrizagidulin commented Jul 8, 2019
edited
Loading

The spec states where one can find acl files, but as far as I've seen it never says how the client could know where to create new acl files.

Yeah, it's like you suspected in PR #8, the implied recommended procedure is:

  • Perform an OPTIONS or a HEAD request on the intended file URL (it's fine if the file does not exist yet, the resulting .acl link header is required to be returned).
  • Create that .acl file via a PUT
  • Create the corresponding file (note that the .acl should be created before the file)

Keep in mind though, that the most common use case is to have an .acl at the container level, which all the files in the container will re-use. While it's possible that every single file will have its own individual .acl, that is a rare use case.

But I wonder how this would work if I wanted to create a new acl file with multiple accessTo values. Just choosing one file at random and then pick its proposed acl link?

Right, so... (And this should probably be clarified in the spec) Solid currently assumes that an individual .acl resource only specifies access to a single file or container.

@kjetilk
Copy link
Member

kjetilk commented Jul 8, 2019

Indeed, that's how I'm writing tests for it right now. But I'm not sure it makes sense to me, since that as you say, the .acl may reside further up the container hierarchy. The correct thing may be to make changes there rather than PUT a new one. Something also tells me that this is something a footprint should decide.

@Otto-AA
Copy link
Author

Otto-AA commented Jul 9, 2019

Thanks for your thoughts on it, as I'm currently writing an acl js library these are very useful to me.

I will go with checking the link header to know where it should put the new acl resource. I would appreciate it if this is clarified in the spec.

While it's possible that every single file will have its own individual .acl, that is a rare use case.

I think it is really common for file sharing and collaborating. For instance if I want to give user A write permissions on a doc, but the Public should only have read permissions. Or if I want to share a file like one can do in dropbox and co. Maybe there are not many other use cases, but here it seems essential to me.

Right, so... (And this should probably be clarified in the spec) Solid currently assumes that an individual .acl resource only specifies access to a single file or container.

From my point of view this is contrary to what the spec is currently saying: "The acl:accessTo predicate specifies which resources you're giving access to, using their exact URLs as the objects.". The plural of resource here makes me think that multiple accessTo predicates are also valid in the same acl file.

And what do you mean with footprint, @kjetilk ?

@kjetilk
Copy link
Member

kjetilk commented Jul 9, 2019

And what do you mean with footprint, @kjetilk ?

Ruben has blogged about shapes and stuff, including footprints: https://ruben.verborgh.org/blog/2019/06/17/shaping-linked-data-apps/#top-dt-3

@Otto-AA
Copy link
Author

Otto-AA commented Jul 11, 2019

Right, so... (And this should probably be clarified in the spec) Solid currently assumes that an individual .acl resource only specifies access to a single file or container.

Is this something that is commonly agreed upon to be part of the spec (but not clearly phrased imo), or do you mean that it is commonly implemented that way, but it is not sure if it will be part of the spec or not?
(I can also move this to another issue, so we have one issue per clarification request)

@kjetilk
Copy link
Member

kjetilk commented Jul 30, 2019

I think that the general footprints mechanism will become a part of Solid at some point, and that it is where such things will be described. As the discussion is relatively new, I'm not sure exactly where it will fit, but I think the general idea is that it will be there.

@Otto-AA Otto-AA mentioned this issue Sep 4, 2019
Closed
@csarven csarven self-assigned this May 17, 2021
@csarven csarven mentioned this issue Jun 17, 2021
Merged
@csarven
Copy link
Member

csarven commented Jul 8, 2021

Closing this issue as consensus is deemed to be captured in WAC Editor's Draft: https://solid.github.io/web-access-control-spec/ .
See See #acl-resource-discovery #authorization-matching #reading-writing-resources .

@csarven csarven closed this as completed Jul 8, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@csarven csarven

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@kjetilk @csarven @dmitrizagidulin @Otto-AA