How a SOLID app can have persistent access to all the pods of the users who registered to the app?


#21

Thank you for your answer. I still don’t get why A should define in his pod that he trust the app, if the app doesn’t want to write/read anything from A’s pod. Only A wants to read B’s pod and do that through the app.


#22

Hi and thank you for your answer. So if it is possible to make an application that a user can use to read data from anothers user pod suppose B.
It is possible but it is based on a backdoor/bug of solid software?


#23

Oh yes I see what you mean. However, for my understanding (I am new with SOLID you might want to double check !), if the app makes a request to read data from A, the request will come with the origin of the application and therefore it will be checked by the solid server to see if this origin is allowed in user A’s POD. Because the reading occurs in the context of an application.


#24

Because the app acts on A’s behalf. For instance, it could write a fake comment on B’s file, send a wrong IBAN so B transfers money to the wrong account, etc. And even if it’s only reading from B’s account, it could also copy and misuse sensitive information to a third party server. And any of these actions would be done with A’s permission.

(And I still don’t know if A needs to define it as a trusted app or B)


#25

No, it is not possible for an application to make unauthorized access to other users PODs, it is only possible through this back door for an application to make unauthorized access to the user POD of the user who is currently connected. It just gets arround apps authorization, not user authentication. Am I being clear ?