Comments (2)
I think we should consider the possibility of clients to suggest the URI of the ACL they want to assign to a resource when creating or updating the resource.
It makes it possible to create the ACL before or after creating the resource - depending on their level of comfort and tolerance.
Helps to address use cases requiring decentralised ACLs.
In the case where Link rel=acl
isn't specified, the server can still assign one as per usual.
The LINK
method can be optionally used by a client to establish the relationships in Link
(eg. pertaining to rel=acl/meta). This is useful in and itself because the location of acl/meta doesn't need to be sticky. It should be mutable so that the reference can change without having to re-create the resource with a new reference.
Let's be careful to not lose sight of the target resource with URI/API tricks. Slashes in path segments is different - native to URI (RFC).
That leaves us with having either the client to be explicit that a resource is an ACL or server figuring it out. The options are not mutually exclusive:
- Client:
Content-Type
- there isn't a mediatype for ACL (only existing RDF formats). Perhapsprofile=solid:ACL
can be used? - Client:
Link rel=type solid:ACL
- new reference. - Server: Processing the payload and checking against a data shape.
- Server: URI Template for ACL resources.
- ..
Option 1 - New media type for ACL is probably nonsensical (given that it is already in RDF... subtyping is meh). profile
seems attractive eg. Content-Type: text/turtle; profile="http://www.w3.org/ns/solid/terms#AccessControl"
(alternative: use acl ns and add class). Meaningful?
Option 2 - specifies "payload's abstract semantic type".
Option 3 - server probably should process the ACL shape any way.
Option 4 - server expects only ACL resources at designated URIs.
I think the following can work..
POST /foo/bar/
201
Location: baz
Link: <http://example.org/foo/bar/baz.acl>; rel="acl"
PATCH /foo/bar/baz.acl
Link: <http://www.w3.org/ns/solid/terms#AccessControl>; rel="type"
LINK /foo/bar/baz
Link: <http://example.net/.acl>; rel="acl"
from web-access-control-spec.
@csarven one possible issue with this proposal is whether a client suggests an ACL location or whether a client assigns an ACL location to a resource. And also whether a server implementation is free to ignore that.
Here are some issues that emerge if a client is able to assign an arbitrary ACL to a resource.
-
An ACL resource could be a regular resource. Does this mean that this "regular resource" now is accessible only by those with
acl:Control
privileges? What if that resource already has its own ACL resource? -
What if the designated ACL resource is a child of the resource in question (in terms of LDP hierarchy)? How does that intersect with DELETE operations?
-
If an untrustworthy application can get a user to assign a remote ACL to a resource -- an ACL that the user does not control, then a series of potential "loss of control" scenarios become quite real.
-
How does a server enforce ACL restrictions in the case that an assigned ACL is temporarily inaccessible? (i.e. on a remote server that is under a DDoS attack?)
-
If a client assigns an arbitrary ACL (e.g. an ordinary LDP-RS within the same server), what makes that a legitimate ACL resource? The mere presence of ACL triples? What happens if a user with
acl:Write
access to that "acl resource" is able to remove those triples or otherwise render the ACL graph semantically meaningless? And what happens if ACL triples are added to an ordinary LDP-RS? Does that resource become an ACL resource?
I'm not against this feature, because it could be implemented in a way that these concerns are addressed. OTOH, I would be concerned if support for this was absolutely required, because it introduces some significant issues that a server implementation could easily fall into.
from web-access-control-spec.
Related Issues (20)
- Use WAC ontology for authorizing authentication HOT 4
- Proposed Fix to: Loss of Access with lower level ACL (Effective ACL Resource Algorithm) HOT 18
- More explicit names for `acl:accessTo` and `acl:default` predicats HOT 1
- Is N3 patch allowed for Append access? HOT 4
- Is create an append operation? HOT 8
- Bad numbering of Access Privileges section HOT 1
- More examples needed
- This document should not present itself as a "Candidate Recommendation" HOT 4
- Append mode creation of resource should work as well with PUT HOT 3
- Credential based access control (WAC + VC) HOT 11
- Client identification HOT 26
- WAC-Allow's `access-mode` parameter to allow any term HOT 5
- Access Mode Extensions HOT 3
- Use of Latin Abbreviations HOT 1
- Dependent resources / explicit inheritance across containers HOT 7
- Clarify whether ACL needs normalization
- deprecate acl:Control, replace with ... HOT 2
- Edge cases require all implementations to couple authorization and storage HOT 36
- Append to container for resources creation not reflected in current text HOT 1
- Effective ACL Resource discovery requires 2n+1 requests HOT 28
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from web-access-control-spec.