-
Notifications
You must be signed in to change notification settings - Fork 44
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
how does one create an Access Control Resource? #259
Comments
Much of this is already in existing issues or made its way into the Protocol. For example, server associates an ACL resource to a resource, and the discovery is done by checking resource's Link header. The URI of the ACL resource is known. Only PUT or PATCH can be used to create an ACL resource. POST to a container entails that server allocates a URI to the created resource. ACL resources are not "contained" resources ie. they don't show up in containment listing. (That can be debated I suppose.. but not something I'm keen to pick up soon). Once an ACL resource has a representation ie. a client creates the ACL resource at specified URI, it will be used. default is useful/looked for when a resource doesn't have its own ACL resource. If you are curious about how a client can allocate the URI of the ACL resource instead of server (close to your example above with rel=type), see https://github.com/solid/specification/issues/131 . |
I had not thought of the possibility of a This problem arises as soon as one writes an ACL system, as I am doing right now. Finding ways to hint or create new ACLs seems indeed like a complicated problem, better left for later. |
URI reference does not entail that a resource has a representation. ACL resources may have a representation, created, deleted.. Clients can know via WAC-Allow. |
We agree agree that URIs don't entail that the referred to resource exists. Now these two use cases may be indistinguishable if your only use case is that the owner of a POD has control over all resources. In that case the user will always be logged in to his POD, and have control access to all the resources. But it gets more problematic if one invites another user or groups to control subcollections too. |
There is another way to look at this. If the rules from Issue #257 hold about it being bad practice for a client to follow links up the container hierarchy, and since the client has to know how to authenticate, it follows that the server needs to copy the default rules to the ACR on creation (or potentially if it goes missing on the file-system). Note that if things are specified that way, then the comment about the link following being bad practice become unnecessary, since the data is already available at the ACR. |
It may be on the other hand that the purpose of a As a result we need a link from the Resource to the default. But as we saw if we place the The link to the default was done in rww-play 7 years ago by using |
There is no mechanism for specifying how to create an Access Control Resource (ACR) attached to an
ldp:Resource
, in the WAC spec, as far as I can see.acp:default
allows one to state what a default ACR for a resource is, and the whole WAC inheritance algorithm says what one should do if a resource does not have an ACR: where to look for one. But it does not tell one how one creates an ACR for a resource.One way to solve the problem is as ACP does: require that every resource has its own ACR. The
acl:default
can then be used to fill in the new ACR with the default access control rule. (And it would explain the old acl:defaultForNew name).Without such a behavior the concept of
acl:default
does not quite make sense: for how would a client create an ACR to begin with, that could override the default? Link relations could only ever link to the ACR containing the default, and so one could not change the default.One could perhaps think of allowing clients to POST content with a
Link: ldp:AccessControl rel=type
header to a resource to create one. Perhaps that is when default rules apply? Only users with control rights as default could create those resources?The text was updated successfully, but these errors were encountered: