For my internship project, I’m working with Solid to store user data from my Flutter app. I currently have a question about how ACL files work.
Right now, users log into the app using their Solid identity (from solidcommunity.net), which means the app logs in as the user. But that gives the app full access to the user’s entire Pod, which isn’t ideal.
According to Solid’s principles, permissions should be granted by the user — not by the app itself. So my question is:
How can I set things up so the user can grant limited access — for example, allowing the app to read or write to specific files or folders, rather than the entire Pod?
I want to make sure my app only accesses what it needs, and that the user stays in control of their data.
In Solid there are two permissions and both are needed to gain access - user permission and app permission. If Jane is forbidden permission to a part or all of the pod, it does not matter if AppX has permission to the whole pod. That does not impact Jane’s permissions at all regardless of whether she is using AppX or not. If Jane has no permissions, it doesn’t matter what app she uses. Suppose you give permission for Jane to read resources in ContainerY (by creating an .acl in that container), then she can use AppX to read those resources but ContainerZ (assuming it has no .acl giving access to Jane) is still out of her reach even if someone else using AppX can read it.
Thanks for the response — that part makes sense now. I do have a follow-up question though.
Let’s say I’m the owner of the Pod and have full permissions. How can I ensure that the app I log into doesn’t get full access to my entire Pod, but only to a specific part of it?
I understand that I need to configure ACL files, but where exactly should I set those up? I don’t want the app itself to handle this, since I only want it to have limited access.
The issue is that if I log in as the owner of the Pod, the app ends up with full permissions — it gets my WebID, access tokens, and other authentication data, which means it can make requests on my behalf to any part of the Pod. That’s what I’d like to avoid.
How can I set things up so the user can grant limited access — for example, allowing the app to read or write to specific files or folders, rather than the entire Pod?