Acl:default or acl:defaultForNew?

Hi I want give Authenticated Agents the Submitter Authorrization.
Is there any decision about this SPEC https://github.com/solid/solid-spec/blob/master/acl-inheritance.md
Do I have to use acl:Default or acl:DefaultForNew ?

let aclInboxContent = `@prefix : <#>.
@prefix acl: <http://www.w3.org/ns/auth/acl#>.
@prefix inbox: <./>.
@prefix c: </profile/card#>.

:Append
    a acl:Authorization;
    acl:accessTo <./>;
    acl:agentClass acl:AuthenticatedAgent;
    acl:default <./>;
    acl:defaultForNew <./>;
    acl:mode acl:Append.
:ControlReadWrite
    a acl:Authorization;
    acl:accessTo <./>;
    acl:agent c:me;
    acl:default <./>;
    acl:defaultForNew <./>;
    acl:mode acl:Control, acl:Read, acl:Write.
:Read
    a acl:Authorization;
    acl:accessTo <./>;
    acl:default <./>;
    acl:defaultForNew <./>;
    acl:mode acl:Read.`

let file = root+"test5/.acl"
await module.fc.createFile (file, aclInboxContent, "text/turtle") .then (success => {
          console.log (`Created $ {file} .`)
        }, err => console.log (err));

2nd question, is it better to use subjects like :READ, :APPEND or subjects like <#owner> <#public> ???

let aclInboxContentOK = '# ACL resource for the public folder \n' +
'@prefix acl: <http://www.w3.org/ns/auth/acl#>. \n' +
'@prefix foaf: <http://xmlns.com/foaf/0.1/>. \n\n' +
'# The owner has all permissions\n' +
'<#owner>\n' +
'    a acl:Authorization;\n' +
'    acl:agent <https://spoggy-test.solid.community/profile/card#me>;\n' +
'    acl:accessTo <./>;\n' +
'    acl:default <./>;\n' +
'    acl:defaultForNew <./>;\n' +
'    acl:mode acl:Read, acl:Write, acl:Control.\n\n' +
'# The public has read permissions\n' +
'<#public>\n' +
'    a acl:Authorization;\n' +
'    acl:agentClass foaf:Agent;\n' +
'    acl:accessTo <./>;\n' +
'    acl:default <./>;\n' +
'    acl:defaultForNew <./>;\n' +
'    acl:mode acl:Read.'

You should use acl:default. acl:defaultForNew is the old version. It looks like NSS is already using the new version since 1.5years (PR) so you should be fine with that.

I think it doesn’t matter for most use cases. It makes no difference for the permissions granted, only for the developing process. The differences I see are:

  • Slightly different readability for developers who read the acl file (I’d prefer owner/public here as it gives more reasoning why the rule exists)
  • When editing you could select the rules based on the subject (owner/public/…). For instance in pseudo code: delete rule with subjectId "public". So your subjectId in the acl should reflect the subjectId in your code if you modify it this way

This is the one used: https://github.com/solid/web-access-control-spec/#acl-inheritance-algorithm
Here is some background discussion on how to interpret it: https://github.com/solid/specification/issues/55
So if a file does not have its own acl file, it looks for the next parent which has an acl file. All acl:default rules of the first one found will apply to the file. If the parent’s acl doesn’t have any acl:default then no one can access this file.

3 Likes

10 000Thxs