File permisions


#1

Say that I have a folder with a file.
Can I make a file so a user can only read it or write?

Is there a way to set write/read permissions using the RDF js library?


#2

I don’t know which if any libraries help you do this, but access is controlled for a specific resource by creating a “.acl” file (same name as the file but add .acl to the end) and defining the permissions as an “access control list” in the .acl file (look that up in the Solid spec).

I haven’t done it myself, so sorry if there’s an easier way that I don’t know yet (other than in the Data Browser UI that is).


#3

Thank you, that is a start


#4

Given that the WebID to the user you want to access is <friends-webid>, you can grant Read+Write-access to that WebID for a resource <path-to-resource-x> by PUTing <path-to-resource-x-acl> with the following:

@prefix acl: <http://www.w3.org/ns/auth/acl#>.
<#friend>
    a acl:Authorization;
    acl:agent <friends-webid>;
    acl:accessTo <path-to-resource-x>;
    acl:mode acl:Read, acl:Write.

You can either construct that string programmatically, or you can construct the graph by something like

const acl = $rdf.graph()
[...]
acl.add(<subject>, <predicate>, <object>) // add triples manually
[...] // five triples in the above examples
$rdf.serialize(null, acl, <path-to-resource-x>, (err, body) => {
  // use something like updateManager to PUT the body
})

Needless to say, we want easier ways of doing this… Access Control is on the roadmap of the Solid React SDK, so hopefully we get some good examples there for how to go about this.

EDIT: It’s very important that you don’t rely on a specific location of the ACL-file, as described by the WAC spec. E.g. if URI to resource is <resource-uri>, ACL is not necessarily <resource-uri>.acl. You should check with the server by doing a HEAD request and look for the rel="acl" in the Link part of the response.


#5

@megoth is adding “.acl” to a URL a safe way to locate the ACL file? The spec says that we can’t rely on a specific location for the ACL file. Which means other servers might implement a different ACL location, So to be safe, we’d need to first access the resource, then read the header link with rel=“acl” to find the ACL file’s location.


#6

@jeffz Oh, you’re completely correct, I’ll change my post to reflect that as well :slight_smile:


#7

Thanks for the support. I have another question, is to possible to add read rights to an entire folder, such that all files inside can be read by an specific webId?


#8

Yes, there’s support for inherited authorizations in WAC with acl:accessTo. You can see an example on this in the root ACL for new accounts.