Requiring acl:defaultForNew?

[awoods]

acl:defaultForNew - we currently use an assumed inheritance. Is the Fedora spec requiring a change to this other pattern?

Extracted from: #145

[escowles]

Reading https://github.com/solid/web-access-control-spec#default-inherited-authorizations, it sounds like creating a resource in a container with an acl:defaultForNew would apply that ACL to the newly-created resource.

Is that how others are reading it? That seems like an alternative to using inheritance, in that the new resource would have an ACL attached and you would not need to go inspect the container to figure out which ACL to use.

[awoods]

@escowles : my reading is slightly different in that no new ACLs are created for resources created under a container with acl:defaultForNew, but rather while looking for an effective ACL through the inheritance hierarchy, if an acl:defaultForNew is found in that search, the found ACL is used.

The following section offers the specific search algorithm: https://github.com/solid/web-access-control-spec#acl-inheritance-algorithm-example

[escowles]

@awoods OK, so if a container has multiple ACLs, the acl:defaultForNew triple would mark the one that should apply to child resources?

[awoods]

@escowles : correct, and as noted in step 2 of the algorithm more than one Authorization may be flagged as acl:defaultForNew.

[zimeon]

@awoods - I agree that that more than one acl:defaultForNew may apply.

@acoburn - I think WAC is silent on creation of new ACL resources for newly created resources, it just says how to find ACL resources from parent containers for resources that don't have their own. Thus, in your example, unless some child resource had an ACL created for it directly (allowed but not specified), all 10 children would see the inherited (at access time) subset of current permissions of the parent container marked acl:defaultForNew. (I suspect this confusion is the reason that the acl:defaultForNew predicate will soon be renamed to acl:default, both in the specs and in implementing servers ... perhaps a bit of history showing there)

[zimeon]

Have asked about Status of planned acl:defaultForNew to acl:default change and note that default is not currently defined in the ACL vocabulary http://www.w3.org/ns/auth/acl

[zimeon]

This has been resolved in the ACL vocabulary which now says:

    <rdf:Property rdf:about="http://www.w3.org/ns/auth/acl#default">
        <comment>A directory for which this authorization is used for new files in the directory.</comment>
        <domain rdf:resource="http://www.w3.org/ns/auth/acl#Authorization"/>
        <label>default access for things in this</label>
    </rdf:Property>

    <rdf:Property rdf:about="http://www.w3.org/ns/auth/acl#defaultForNew">
        <comment>THIS IS OBSOLETE AS OF 2017-08-01.   See 'default'.
        Was: A directory for which this authorization is used for new files in the directory.</comment>
        <domain rdf:resource="http://www.w3.org/ns/auth/acl#Authorization"/>
        <label>default access for new things in the object</label>
    </rdf:Property>

so we should use acl:default. Because the WAC spec has not yet been updated I think we need a non-normative note (at least for now) pointing out that we use acl:default instead of acl:defaultForNew, with the same semantics, in https://fcrepo.github.io/fcrepo-specification/#inheritance. I'll make a PR.