Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Testing existence of "default ACL" #402

Closed
awoods opened this issue Sep 20, 2018 · 3 comments
Closed

Testing existence of "default ACL" #402

awoods opened this issue Sep 20, 2018 · 3 comments

Comments

@awoods
Copy link
Collaborator

awoods commented Sep 20, 2018
edited
Loading

https://fedora.info/2018/06/25/spec/#inheritance states:

In the case that the controlled resource is uncontained and has no ACL, or that there is no ACL at any point in the containment hierarchy of the controlled resource, then the server must supply a default ACL.

There are open questions in the context of the API Test Suite about how to determine if such a "default ACL" exists. The specification says that the ACL for any resource must be returned in a Link header. For an ACL on the root resource... there are interaction questions along the lines of:

  1. What does the Link: acl header return when there is only the "default ACL"?
  2. Is it required that the "default ACL" be web-accessible to users?
  3. What should the user to do install a client-provided ACL at the root?
    • In this case, is it expected that the Link: acl header would change?

It may be that these questions all go away if the answer to the second question above is "yes".
@acoburn
Copy link
Contributor

acoburn commented Sep 20, 2018
edited
Loading

FWIW, when Trellis is first started, it automatically initializes two resources: a root container (an LDP-BC) and an ACL for that resource. That ACL is a web resource like every other ACL resource in Trellis, and it can be modified via PATCH or PUT. This satisfies the SOLID WebAC spec that states:

The root container of a user's account MUST have an ACL resource specified.

In that sense, this default ACL in Trellis is web-accessible to users (i.e. whoever has acl:Control access).

@zimeon
Copy link
Contributor

zimeon commented Sep 20, 2018
edited
Loading

I think that whether or not the default ACL is web-accessible to users, there is currently no way to find out where/what it is. That is because we use the Link: <...>; rel="acl" to say where an individual resource ACL may be created. So the answer to 1) is:

  1. a) if an individual ACL can be created then this is the location to create it, else b) could be the default or some other existing ACL

FWIW, in playing with trilpy I assumed that the default ACL would be web accessible, and that default and root ACL would be set by configuration. So:

  1. I had assumed it would be web accessible but if there is no way to find it that may be moot. It seems suggested but not required by the spec at present

  2. There is no specified means to change the individual ACL location (although doing so by other means is not forbidden) so I would not expect the ACL header location to change

@escowles
Copy link
Contributor

Decision in 10/31/18 editor's call: by definition, there must be some default behavior. But there's no requirement that it's web-accessible for the server to link to. So we are closing this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@awoods @zimeon @escowles @acoburn