Skip to content

Readme typo fixes #73

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 5 commits into from
Jan 28, 2021
Merged

Readme typo fixes #73

Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
6e88296
prefix -> suffix typo fix.
tmciver Oct 9, 2019
31eca70
s -> a typo fix.
tmciver Oct 9, 2019
6f0dfc2
thats -> that typo fix.
tmciver Oct 9, 2019
5622dbb
Fixes to the "Webapps" section.
tmciver Oct 10, 2019
7a1f0de
"If" instead of "Is"
csarven Jan 28, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 17 additions & 17 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -119,7 +119,7 @@ the ACL resource in the above example would be `/docs/.acl`).
Clients MUST NOT assume that the location of an ACL resource can be
deterministically derived from a document's URL. For example, given a document
with a URL of `/docs/file1`, clients cannot rely on the assumption that an ACL
resource exists at `/docs/file1.acl`, simply using `.acl` as a prefix. The
resource exists at `/docs/file1.acl`, simply using `.acl` as a suffix. The
actual naming convention for ACL resources can differ for each individual
implementation (or even for each individual server). If one server locates the
ACL resource by appending the suffix `.acl`, another server could place the ACL
Expand Down Expand Up @@ -301,7 +301,7 @@ the following issues:
for group ACLs are public.

Possible future methods for a server to find out whether a given agent is a
member of s group are a matter for future research and possible addition here.
member of a group are a matter for future research and possible addition here.

### Public Access (All Agents)

Expand Down Expand Up @@ -368,24 +368,24 @@ All scripts running on the same origin are assumed to be run by the same
social entity, and so trusted to the same extent.

*When an Origin header is present then BOTH the authenticated agent AND
the origin MUST be allowed access*
the origin MUST be allowed access.*

As both the user and the web app get to read or write (etc) the data, then they most BOTH
be trusted. This is the algorithm the server must go through.
As both the user and the web app get to read or write (etc) the data, then they must BOTH
be trusted. This is the algorithm the server must go through.

- If the requested mode is available to the public, then succeed `200 OK` with added CORS headers ACAO and ACAH **
- If the user is *not* logged on, then fail `401 Unauthenticated`
- Is the User authenticated is *not* allowed access required, AND the class AuthenticatedAgent is not allowed access, then fail `403 User Unauthorized`
- If the Origin header is not present, the succeed `200 OK`
- If the Origin is allowed by the ACL, then succeed `200 OK` with added CORS headers ACAO and ACAH
- (In future proposed) Look up the owner's webid(s) to check for trusted apps declared there, and if match, succeed `200 OK` with added CORS headers ACAO and ACAH
- Fail `403 Origin Unauthorized`
- If the requested mode is available to the public, then succeed `200 OK` with added CORS headers ACAO and ACAH. **
- If the user is *not* logged on, then fail `401 Unauthenticated`.
- If the authenticated user is *not* allowed access, AND the class AuthenticatedAgent is not allowed access, then fail `403 User Unauthorized`.
- If the Origin header is not present, then succeed `200 OK`.
- If the Origin is allowed by the ACL, then succeed `200 OK` with added CORS headers ACAO and ACAH.
- (In future proposed) Look up the owner's webid(s) to check for trusted apps declared there, and if match, succeed `200 OK` with added CORS headers ACAO and ACAH.
- Fail `403 Origin Unauthorized`.

Note it is a really good idea to make it clear both in the text of the status message and in the body of
the message the difference between the user not being allowed and the web app they are using
not being trusted.
Note it is a really good idea to make it clear both in the text of the status message and in the body of
the message the difference between the user not being allowed and the web app they are using
not being trusted.

** Possible future alternative: Set ACAO header to `"*"` indicating that the document is public. This will though block in the browser any access made using credentials.
** Possible future alternative: Set ACAO header to `"*"` indicating that the document is public. This will though block in the browser any access made using credentials.

#### Adding trusted web apps.

Expand Down Expand Up @@ -439,7 +439,7 @@ Since an ACL resource is a plain Web document in itself, what controls who
has access to *it*? While an ACL resource *could* in theory have its own
corresponding ACL document (for example, `file1.acl` controls access to `file1`,
and `file1.acl.acl` could potentially control access to `file1.acl`), one
quickly realizes thats this recursion has to end somewhere.
quickly realizes that this recursion has to end somewhere.

Instead, the [`acl:Control` access mode](#aclcontrol) is used (see below), to
specify who has access to alter (or even view) the ACL resource.
Expand Down