Is create an append operation? #105
Comments
|
As Martynas mentioned on Gitter, probably option 2. |
|
The evaluation of an authorization is concerned with finding Authorizations that match the required parameters of an operation. It depends on the HTTP request semantics and conditions. See also https://solid.github.io/web-access-control-spec/#http-method-access-mode-mapping , #85 (comment) . For example, /C/R would be created given: request PATCH /C/R or PUT /C/R and finding Append (or Write) on /C/ and Write on /C/R; request POST /C/ and finding Append on /C/. |
|
Ah, interesting. So then why does it say "append operations attempt to create resources or add information to existing resources"? Does that term "append operations" not refer to "operations for which |
|
@csarven so it's option 1 then, despite that phrase about "append operations attempt to create ..."? |
|
It is hard for me to answer your question directly because the primary source (HTTP method) of the request semantics that indicates the purpose of the request and the target of the HTTP request (URI) in the scenario is missing. The complete HTTP request semantics needs to be taken into account in order to determine the parameters of an operation and what Authorization rule(s) needs to be matched. Even without that information, it is still unclear whether the server or the client assigns the name C/R. What you are quoting is a general description about operations. (But don't run off with that.) We can append to C/ with POST (it is a resource-specific processing resulting in C/R). We can also append or add data to an existing resource C/R (POST, PATCH) but this is not the scenario you're describing. What I'm saying is that if an agent created C/R, it was probably because there was a PUT or a PATCH targeting C/R or a POST targeting C/. Append suffices for POST targeting the C/ and that server will name C/R. Append on C/R will not suffice for PUT or PATCH - write is required so that client can name C/R. If you're satisfied with the answer, feel free to close the issue. |
|
Yes, sorry, I forgot to state that I was talking about PUT and PATCH. OK, so option 1 then, thanks! I'll create a PR to edit the confusing text. |
|
As commented in #106, let's leave the spec text as it is but at least we have clarity now. Thanks! |
csarven
added
status: Commenter Satisfied
and removed
status: Waiting for Commenter
labels
This updates the text to match what we decided in solid#105 (comment). At the time we decided not to update the spec text, but now that the spec text is more detailed, the current statement is not correctly conveying that access to both the containing folder and the non-existing resource URL is required. See the confusion that was created by this in solid-contrib/web-access-control-tests#56 which was an (I think incorrect) reaction to solid#122.
) * Further clarify requirements for PUT-to-create and PATCH-to-create This updates the text to match what we decided in #105 (comment). At the time we decided not to update the spec text, but now that the spec text is more detailed, the current statement is not correctly conveying that access to both the containing folder and the non-existing resource URL is required. See the confusion that was created by this in solid-contrib/web-access-control-tests#56 which was an (I think incorrect) reaction to #122. * Apply suggestions from code review Co-authored-by: Ted Thibodeau Jr <tthibodeau@openlinksw.com> --------- Co-authored-by: Sarven Capadisli <info@csarven.ca> Co-authored-by: Ted Thibodeau Jr <tthibodeau@openlinksw.com>
Suppose
c/exists, andc/rdoes not yet.An agent creates
c/r. Does this require:c/and Write onc/ror
c/and Append or Write onc/rEvidence of option 1:
Evidence of option 2:
I want to go for option 2 (and update the WAC tests accordingly and file a bug report to CSS), but wanted to check here first.
The text was updated successfully, but these errors were encountered: