Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Should PUT-to-create c/r in existing container be allowed with only accessTo Write c/? #246

Closed
michielbdejong opened this issue Mar 4, 2021 · 6 comments
Closed

Should PUT-to-create c/r in existing container be allowed with only accessTo Write c/? #246

michielbdejong opened this issue Mar 4, 2021 · 6 comments
Assignees
@csarven
Labels
doc: Protocol topic: authorization

Comments

@michielbdejong
Copy link
Contributor

The question

Suppose:

  • c/ exists
  • c/ has its own ACL doc, which looks as follows (leaving out prefix etc):
<#Bob>
  a acl:Authorization;
  acl:agent: <https://bob.com/#me> ;
  acl:accessTo <c/>;
  acl:mode acl:Write.

Note that the Bob's Authorization in the ACL doc of c/ does not contain acl:default, so it does not apply to descendants of c/, only to c/ itself.

Should this request succeed and create c/r?

The facts

  • ESS says 'yes'.
  • NSS, PSS, and CSS say 'no'.
  • For comparison, and in support for 'yes', POST to c/ also only requires accessTo Append, no default permissions required there either.
  • But then again, in support of 'no', with a POST the client doesn't get to choose the URL, and with a PUT they do.

Please vote! :)
This was referenced Mar 4, 2021
Closed
Closed
@michielbdejong
Copy link
Contributor Author

@timbl @justinwb @dmitrizagidulin @kjetilk @csarven @RubenVerborgh you are in the editorial team, your voice is obviously very welcome in this discussion.

michielbdejong added a commit to solid-contrib/web-access-control-tests that referenced this issue Mar 5, 2021
@michielbdejong
Update URL of dispute to solid/specification#246
5a7bc1f
@michielbdejong
Copy link
Contributor Author

  • ESS says 'yes'.

To reproduce this, have a look at https://github.com/solid/web-access-control-tests/tree/reproduce-246-ess

  • NSS, PSS, and CSS say 'no'.

To reproduce this, unskip https://github.com/solid/web-access-control-tests/blob/main/test/surface/create.test.ts#L207 and you'll see the CRUD tests still pass against each of these three servers.

@csarven
Copy link
Member

csarven commented Mar 5, 2021

Should PUT-to-create c/r in existing container be allowed with only accessTo Write c/?

As only acl:Write is granted to C/ and no access can be determined for C/R, access is denied.

@michielbdejong
Copy link
Contributor Author

Thanks @csarven! I think we agree on that conclusion.

@acoburn would you be willing to change the ESS behaviour from 'yes' to 'no'?

@michielbdejong michielbdejong mentioned this issue Mar 17, 2021
Open
5 tasks
@michielbdejong
Copy link
Contributor Author

@acoburn was this fixed in ESS v1.1?

@csarven csarven self-assigned this May 17, 2021
@csarven csarven mentioned this issue Jun 17, 2021
Merged
@csarven
Copy link
Member

csarven commented Jul 8, 2021

Closing this issue as consensus is deemed to be captured in WAC Editor's Draft: https://solid.github.io/web-access-control-spec/ . See #effective-acl-resource #reading-writing-resources #authorization-matching

@csarven csarven closed this as completed Jul 8, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@csarven csarven

Labels
doc: Protocol topic: authorization
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@kjetilk @michielbdejong @csarven