Access Control Help

1

Hi Solid Community!

I’m currently creating an application for my Masters Dissertation using react, using the reac-sdk and the javascript solid-client library.

Here’s my question:

I want to create a container and within this container i want to create 4 datasets for the app. I want to be able to have these datasets viewable for other users if the user wishes to.

I have been trying to give access to other users using the universalAccess API but I ran into the issue of there not being an acl resource to modify. I then created an empty acl resource when creating the container and proceeded to lock myself out of the resource.

Would someone be able to describe the flow in which I should be doing in order to allow this functionality to work?

If any further information is needed please ask.
Thanks

2

Hi Danana

Out of curiousity, what project are you working on?

Depending on what exactly you want, one way would be (code not tested, based on the libraries documentation):

// your 4 datasets
const datasets = ["https://example.com/foo/resource", ...]
// users that should have access to these 4 datasets
const users = ["https://id.example.com/someWebId", ...]
// access rights
const accessRights = { read: true, write: true }

for (const webId of users) {
  for (const dataset of datasets) {
    // fetch is the authenticated fetch you got from the solid-client auth libraries
    await universalAccess.setAgentAccess(dataset, webId, accessRights, { fetch })
  }
}

Does this help you? If no, where and how exactly did it go wrong? Or if that’s not what you want, can you clarify?

1 Like
3

Regarding this, if the server uses WAC (which if I’m not mistaken means it uses acl files) then setAgentAcess should automatically create the acl file. So at lesat in theory, I don’t think it is an issue if the ACL file does not exist yet.

1 Like
4

Hi thanks for your quick reseponse.

So upon running code following the same process as you’ve suggested I’m running into a 404 error saying the .acl files do not exist.

Fetching the metadata of the Resource at [https://danana2.solidcommunity.net/Solid-Health-Test3/profile.ttl.acl] failed: [404] [Not Found].
5

My solution to this is to create a blank .acl for the resource but when I’m doing that I’m locking myself out of the resource. I’ve then tried to grant the authenticated user access and still somehow locking myseld out.

6

Ah indeed, apparently it’s a known bug: access/universal functions throw error instead of creating .acl when no .acl exists · Issue #1549 · inrupt/solid-client-js · GitHub

1 Like
7

For this workaround, try to not create it blank but instead create it with control permissions for yourself to not lock yourself out. I’m not sure of the top of my head how this works with the library, but it should be possible. Here is the documentation on it: Manage Access to Data (WAC) — Inrupt JavaScript Client Libraries

If you create it blank, it essentially means no one has permissions. Thus you need to create it already with some contents to prevent lock-out.

However, note that this is not “universal” as it is only for servers using WAC access control. So maybe try if your solution does not break with eg https://start.inrupt.com which (iirc) uses ACP for access control.

1 Like
8

I think I’ll just use ACP servers for access control as I’m having a lot of issues with WAC.

Thank you so much for your swift response and assistance it is very much appreciated!

9

Hello @danana5, welcome to the forum!

You may try to PATCH the .acl file directly (patching non-existent .acl should work, too; it does for me with NSS and CSS) along the lines of:

import { fetch } from 'solid-client-authn-browser'

const body = `
INSERT DATA {
<https://example.com/mypod/path/to/my/folder/.acl#ReadWriteControl> <http://www.w3.org/1999/02/22-rdf-syntax-ns#type> <http://www.w3.org/ns/auth/acl#Authorization> .
<https://example.com/mypod/path/to/my/folder/.acl#ReadWriteControl> <http://www.w3.org/ns/auth/acl#accessTo> <https://example.com/mypod/path/to/my/folder/> .
<https://example.com/mypod/path/to/my/folder/.acl#ReadWriteControl> <http://www.w3.org/ns/auth/acl#default> <https://example.com/mypod/path/to/my/folder/> .
<https://example.com/mypod/path/to/my/folder/.acl#ReadWriteControl> <http://www.w3.org/ns/auth/acl#mode> <http://www.w3.org/ns/auth/acl#Read> .
<https://example.com/mypod/path/to/my/folder/.acl#ReadWriteControl> <http://www.w3.org/ns/auth/acl#mode> <http://www.w3.org/ns/auth/acl#Write> .
<https://example.com/mypod/path/to/my/folder/.acl#ReadWriteControl> <http://www.w3.org/ns/auth/acl#mode> <http://www.w3.org/ns/auth/acl#Control> .
<https://example.com/mypod/path/to/my/folder/.acl#ReadWriteControl> <http://www.w3.org/ns/auth/acl#agent> <https://grouptest2.solidcommunity.net/profile/card#me> .
}
`

const aclUrl = 'https://example.com/mypod/path/to/my/folder/.acl'

// inside async function
// fetch has to be authenticated
await fetch(aclUrl, {
  method: 'PATCH',
  body,
  headers: { 'content-type': 'application/sparql-update' },
})

This particular example sets access for a folder. If you want to set it for a file, i believe you just need to change the body:

  • remove the triple (line) which contains #default
  • replace all occurrences of /path/to/my/folder/ with /path/to/my/filename.extension (put whatever is relevant for you)

I think you could also do this with PUT and different body; this is just an example i happened to work with, recently. Hope this helps. If you try it and still have issues with it, maybe i could look at it further. I may have left some bugs in there. :crossed_fingers:

2 Likes