-
Notifications
You must be signed in to change notification settings - Fork 44
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How does client apps know that certain ACL files cannot be deleted? #37
Comments
Could just be a 405 response when you try it. |
So there are no way to know it beforehand? E.g. if we want to present a button to the user that allow them to delete the ACL resource. This button should not be presented if they cannot delete the ACL resource anyway. |
Could be an |
That I think is a good solution. Would we specify that behavior in the specification? |
+1 from me |
I think it'd be really helpful for us to be able to denote certain resources as "protected", or ones that like, require a confirmation step or something, to delete. I can think of 3 resources that basically lock out the user from the account - the root .acl, the profile /card, and (distantly) the root .meta file (which is where the account recovery email is kept for some reason). |
@dmitrizagidulin Yeah, I agree very much. I voiced similar ideas, we basically need to have some sort of "hey, be careful, if you're sure, do |
@kjetilk - Just to double check, why a separate issue? Isn't that what we're talking about in this issue? (I could totally be misinterpreting :) ) |
In response to the original post, and just to throw complexity to this issue - we love complexity right right? -... why can't all resources (including ACLs) be deleted by an app with an authorized agent? What I'm sensing is that by preventing "certain" resources from getting deleted, it enforces alternative ways to actually get to delete them. That's not necessarily a simpler, cheaper, or secure way, but just moves the responsibility elsewhere. So, I like ideas that Dmitri shares re protected resources, confirmation steps etc. It immediately makes me think of a user in the sudo group that tries to delete a read-only file. Some systems, like Debian (and friends) for instance, say "remove write-protected regular file 'foo'?" I'm sure a lot of energy went into agreeing and implementing that for nix, so, I can only +1 that idea because for the short to mid-term, that's going to let us bypass reinventing and potential headaches. We should also factor in how this plays out if/when a "locking mechanism" (like WebDAV's) is part of or extended in the Solid system. |
I'm taking this issue fairly literally :-) So, I take the original question as the one that this issue should address, i.e., how the client can tell if it will not be able to delete a resource, and a good solution to that is the proposed use of the But it remains a bigger issue, that there are certain resources that the user should be alerted about that may have larger effects than they anticipate, and probably verification of that intent. And that's how I interprete your comment too :-) |
Just noting some resources that are related to this issue (via @dmitrizagidulin): |
Also see #44 . |
I think this issue is a special case of the general case in #171 . See #171 (comment) for summary on Allow, WAC-Allow, Link approaches. dokieli also shares the general use case: dokieli/dokieli#96 , dokieli/dokieli#137 (which triggered 171). The link relation to root container's ACL will only be exposed if agent has Control on the root container. Hence, the discovery of the ACL resource starts from the root container. With the exception of disallowing the deletion of root container's ACL, authorized agents can potentially delete any ACL. Unauthorized agents will simply be denied (401/403/404 being discussed) from knowing whether an ACL resource at a particular URL exists in the first place (even if say the requester knows it as a fact based on out of band knowledge). For authorized agents, the Allow header on root container's ACL is sufficient ie. it would simply omit DELETE. For authorized agents, while WAC-Allow can indicate Control and Write (whether on the ACL itself or on the root container), it can't additionally express delete is disallowed given the special case about root container's ACL. |
The current Web Access Control spec states that you cannot delete the ACL resource for the root container of a user's account.
How does the server indicate to a client application that an ACL resource cannot be deleted?
A way to figure this out today is that the client can check every parent container available if there is a ACL available, but this can be an expensive operation.
The text was updated successfully, but these errors were encountered: