aka App Permission Design and its limits.
Hello, for the Solid Hospitality Exchange Network we’ve tried to design data as follows:
A Hospex Community keeps a list of its members (“vcard:Group vcard:hasMember foaf:Person”). Only members of that community can read that list and find each other that way. (this works.)
This way of access is specified here:
A User keeps their hosting offers and memberships in a solid pod in one or more turtle documents. Currently these hospex data are public, but ideally would be shared only with Other members of User’s communities.
However, even though these Other members have theoretically all the permissions they need to read this User’s hospex data, practically they can’t read it. Such requests from Other members fail with
403 User Unauthorized. So when i’m Other member and i try to access User’s hospex data, i can’t. As if the Pod of User is unable to fetch the list of group members on my behalf and so verify my permissions. (I’ve tried this with different NSS providers, haven’t tried with CSS or ESS)
Can we use non-public groups to define access to our resources?
Is it documented somewhere, how group access works in detail? How the communication between different Pods goes?
Can i hope for this private-group permission to work in the future, or is it a hard technology limit?
Has defining access to resources by groups a future, or is it gonna be deprecated or something? With the different access control mechanisms and mentions about WAC not suitable for production, i’m insecure about this. Practically, access for groups is very useful (for social networks that help people discover each other), but the access control discussion is confusing to me.
I hope this issue is not an instance of Use an app to access data of other user: 403 User Unauthorized which i asked a couple days ago. If it is, i apologize.