From 6e882962ba0aa4fb5c243520d9874b116d355cfc Mon Sep 17 00:00:00 2001 From: Tim McIver Date: Tue, 8 Oct 2019 21:19:09 -0400 Subject: [PATCH 1/5] prefix -> suffix typo fix. --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 01db2db..1f026bc 100644 --- a/README.md +++ b/README.md @@ -119,7 +119,7 @@ the ACL resource in the above example would be `/docs/.acl`). Clients MUST NOT assume that the location of an ACL resource can be deterministically derived from a document's URL. For example, given a document with a URL of `/docs/file1`, clients cannot rely on the assumption that an ACL -resource exists at `/docs/file1.acl`, simply using `.acl` as a prefix. The +resource exists at `/docs/file1.acl`, simply using `.acl` as a suffix. The actual naming convention for ACL resources can differ for each individual implementation (or even for each individual server). If one server locates the ACL resource by appending the suffix `.acl`, another server could place the ACL From 31eca70c35c423804d4f5b2cc438272dfc5db02b Mon Sep 17 00:00:00 2001 From: Tim McIver Date: Tue, 8 Oct 2019 21:19:42 -0400 Subject: [PATCH 2/5] s -> a typo fix. --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 1f026bc..65d32c9 100644 --- a/README.md +++ b/README.md @@ -301,7 +301,7 @@ the following issues: for group ACLs are public. Possible future methods for a server to find out whether a given agent is a -member of s group are a matter for future research and possible addition here. +member of a group are a matter for future research and possible addition here. ### Public Access (All Agents) From 6f0dfc233cbe798a6ec0080951e50938d99ae3f8 Mon Sep 17 00:00:00 2001 From: Tim McIver Date: Tue, 8 Oct 2019 21:38:26 -0400 Subject: [PATCH 3/5] thats -> that typo fix. --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 65d32c9..9de8c8f 100644 --- a/README.md +++ b/README.md @@ -439,7 +439,7 @@ Since an ACL resource is a plain Web document in itself, what controls who has access to *it*? While an ACL resource *could* in theory have its own corresponding ACL document (for example, `file1.acl` controls access to `file1`, and `file1.acl.acl` could potentially control access to `file1.acl`), one -quickly realizes thats this recursion has to end somewhere. +quickly realizes that this recursion has to end somewhere. Instead, the [`acl:Control` access mode](#aclcontrol) is used (see below), to specify who has access to alter (or even view) the ACL resource. From 5622dbb06a97725c7a378c2b935af8a0ae740af3 Mon Sep 17 00:00:00 2001 From: Tim McIver Date: Wed, 9 Oct 2019 21:00:16 -0400 Subject: [PATCH 4/5] Fixes to the "Webapps" section. --- README.md | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/README.md b/README.md index 9de8c8f..43cb821 100644 --- a/README.md +++ b/README.md @@ -368,24 +368,24 @@ All scripts running on the same origin are assumed to be run by the same social entity, and so trusted to the same extent. *When an Origin header is present then BOTH the authenticated agent AND -the origin MUST be allowed access* +the origin MUST be allowed access.* - As both the user and the web app get to read or write (etc) the data, then they most BOTH - be trusted. This is the algorithm the server must go through. +As both the user and the web app get to read or write (etc) the data, then they must BOTH +be trusted. This is the algorithm the server must go through. - - If the requested mode is available to the public, then succeed `200 OK` with added CORS headers ACAO and ACAH ** - - If the user is *not* logged on, then fail `401 Unauthenticated` - - Is the User authenticated is *not* allowed access required, AND the class AuthenticatedAgent is not allowed access, then fail `403 User Unauthorized` - - If the Origin header is not present, the succeed `200 OK` - - If the Origin is allowed by the ACL, then succeed `200 OK` with added CORS headers ACAO and ACAH - - (In future proposed) Look up the owner's webid(s) to check for trusted apps declared there, and if match, succeed `200 OK` with added CORS headers ACAO and ACAH - - Fail `403 Origin Unauthorized` + - If the requested mode is available to the public, then succeed `200 OK` with added CORS headers ACAO and ACAH. ** + - If the user is *not* logged on, then fail `401 Unauthenticated`. + - Is the authenticated user is *not* allowed access, AND the class AuthenticatedAgent is not allowed access, then fail `403 User Unauthorized`. + - If the Origin header is not present, then succeed `200 OK`. + - If the Origin is allowed by the ACL, then succeed `200 OK` with added CORS headers ACAO and ACAH. + - (In future proposed) Look up the owner's webid(s) to check for trusted apps declared there, and if match, succeed `200 OK` with added CORS headers ACAO and ACAH. + - Fail `403 Origin Unauthorized`. - Note it is a really good idea to make it clear both in the text of the status message and in the body of - the message the difference between the user not being allowed and the web app they are using - not being trusted. +Note it is a really good idea to make it clear both in the text of the status message and in the body of +the message the difference between the user not being allowed and the web app they are using +not being trusted. - ** Possible future alternative: Set ACAO header to `"*"` indicating that the document is public. This will though block in the browser any access made using credentials. +** Possible future alternative: Set ACAO header to `"*"` indicating that the document is public. This will though block in the browser any access made using credentials. #### Adding trusted web apps. From 7a1f0de418e16c5ebd8e47bc4accb56079a8cbd8 Mon Sep 17 00:00:00 2001 From: Sarven Capadisli Date: Thu, 28 Jan 2021 17:22:07 +0100 Subject: [PATCH 5/5] "If" instead of "Is" Co-authored-by: Ted Thibodeau Jr --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 43cb821..f1827a5 100644 --- a/README.md +++ b/README.md @@ -375,7 +375,7 @@ be trusted. This is the algorithm the server must go through. - If the requested mode is available to the public, then succeed `200 OK` with added CORS headers ACAO and ACAH. ** - If the user is *not* logged on, then fail `401 Unauthenticated`. - - Is the authenticated user is *not* allowed access, AND the class AuthenticatedAgent is not allowed access, then fail `403 User Unauthorized`. + - If the authenticated user is *not* allowed access, AND the class AuthenticatedAgent is not allowed access, then fail `403 User Unauthorized`. - If the Origin header is not present, then succeed `200 OK`. - If the Origin is allowed by the ACL, then succeed `200 OK` with added CORS headers ACAO and ACAH. - (In future proposed) Look up the owner's webid(s) to check for trusted apps declared there, and if match, succeed `200 OK` with added CORS headers ACAO and ACAH.