Shape of ACL #169
Assignees
Projects
Milestone
Comments
|
Related issue: #186 |
|
I'd like to propose SHACL as one standards-based way to describe these shapes. Questions:
Authorization @prefix vcard: <http://www.w3.org/2006/vcard/ns#> .
@prefix acl: <http://www.w3.org/ns/auth/acl#> .
@prefix rdf: <http://www.w3.org/1999/02/22-rdf-syntax-ns#> .
@prefix rdfs: <http://www.w3.org/2000/01/rdf-schema#> .
@prefix sh: <http://www.w3.org/ns/shacl#> .
@prefix xsd: <http://www.w3.org/2001/XMLSchema#> .
acl:Authorization
a rdfs:Class, sh:NodeShape ;
sh:or
(
[
# either an acl:agent
sh:property
[
a sh:PropertyShape ;
sh:minCount 1 ;
sh:nodeKind sh:IRI ;
sh:path acl:agent
]
] [
# or class of agents
sh:property
[
a sh:PropertyShape ;
sh:minCount 1 ;
sh:path acl:agentClass ;
sh:nodeKind sh:IRI ;
]
] [
# or multiple groups
sh:property
[
a sh:PropertyShape ;
sh:minCount 1 ;
sh:path acl:agentGroup ;
sh:class vcard:Group ;
]
]
) ;
sh:or
(
[
# either direct resource access
sh:property
[
a sh:PropertyShape ;
sh:minCount 1 ;
sh:nodeKind sh:IRI ;
sh:path acl:accessTo
]
]
[
# or class access
sh:property
[
a sh:PropertyShape ;
sh:minCount 1 ;
sh:nodeKind sh:IRI ;
sh:path acl:accessToClass
]
]
) ;
sh:property
[
a sh:PropertyShape ;
sh:in ( acl:Read acl:Write acl:Control ) ;
sh:minCount 1 ;
sh:path acl:mode
],
[
a sh:PropertyShape ;
sh:hasValue acl:Authorization ;
sh:path rdf:type
] ;
.Group: @prefix dcterms: <http://purl.org/dc/terms/> .
@prefix vcard: <http://www.w3.org/2006/vcard/ns#> .
@prefix rdfs: <http://www.w3.org/2000/01/rdf-schema#> .
@prefix sh: <http://www.w3.org/ns/shacl#> .
@prefix xsd: <http://www.w3.org/2001/XMLSchema#> .
vcard:Group a rdfs:Class, sh:NodeShape ;
sh:property
[
a sh:PropertyShape ;
sh:datatype xsd:dateTime ;
sh:maxCount 1 ;
sh:path dcterms:modified ;
],
[
a sh:PropertyShape ;
sh:datatype xsd:dateTime ;
sh:maxCount 1 ;
sh:path dcterms:created ;
],
[
a sh:PropertyShape ;
sh:maxCount 1 ;
sh:minCount 1 ;
sh:nodeKind sh:IRI ;
sh:path vcard:hasUID ;
sh:pattern "^urn:uuid:"
],
[
a sh:PropertyShape ;
sh:nodeKind sh:IRI ;
sh:path vcard:hasMember
],
[
a sh:PropertyShape ;
sh:hasValue vcard:Group ;
sh:path rdf:type
] .By the way, I think that the readme uses the wrong Dublin Core namespace. EDIT: it's also missing |
|
And |
|
Ok, I removed this restriction from properties |
|
Thanks for this issue and discussion. Closing this issue as consensus is deemed to be captured in WAC Editor's Draft: https://solid.github.io/web-access-control-spec/ . See #authorization-conformance . Please use https://github.com/solid/web-access-control-spec for future discussion. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
As clients can create ACLs, servers need to have deterministic handling of the request. Clients and servers need to have a shared understanding and expectation of the information within ACL documents. Invalid ACLs pose potential security issues. Defining an ACL shape to validate request payload can be a way to address this.
Related issues: #56 , #57 , solid/web-access-control-spec#78 , #130 , #67 , #193
The text was updated successfully, but these errors were encountered: