Programmatically adjust ACL

This looks really great and seams to do what I was looking for. Will give it a try.

Sad to hear, that you are not going to maintain it. Perhaps we should move it to the solid github org and ensure it is maintained by the community?

Looks like you are assuming a specific WebID structure here, which will bring problems to people with different URI structure.

You are right ,thxxs it just a copy/paste from an Acl file to start something but can be improved

1 Like

Sure, if somebody wants to keep it up to date and fix things when issues arise, I think it would be good to transfer it. I just don’t have the time to maintain this project, but I’d be happy if someone else forks it and takes care about it. I could also remove the solid-acl-parser on npm in favor of newer versions.

If this is done, it would probably also make sense to look if the databrowser could use it too. Currently it uses its own implementation iirc. Merging them to one would probably make sense

I also want to note, that my implementation is just one way of doing this. It parses the whole acl file into an object, modifies it, and parses it back. Another way would be to use a library to directly manipulate the turtle (e.g. with SPARQL statements)

Hey @A_A I had some time to try your lib and it is exactly what I was looking for. Thank you very much.

I am encountering just a small problem, perhaps you have an idea:

Couldn’t retrieve the acl location from the link header

This occurs, if I try to add an ACL to a container and there is now ACL except the root acl. If at least one of the parent containers has an ACL everything works fine. But the root ACL cannot be discovered somehow. Might as well be a bug in NSS, not sure.

With curl I can get a link to the ACL file from a Pod root:

▶ curl -s -I https://solid-groups.solid.community/ | grep Link:
Link: <.acl>; rel="acl", <.meta>; rel="describedBy", <http://www.w3.org/ns/ldp#Resource>; rel="type"

But in the browser dev tools it is actually not to be found in the response of the OPTIONS request to the Pod root:

Link: <https://solid-groups.solid.community/.well-known/solid>; rel="service", <https://solid.community>; rel="http://openid.net/specs/connect/1.0/issuer"

Any ideas?

2 Likes

Apparently node-solid-server only sets the link header for GET but not for OPTIONS requests on the root. Here’s a simple script to reproduce it from the browser console when logged in to your pod:

fetch('/', { method: 'GET' }).then(res => console.log(res.headers.get('link')))
// <.acl>; rel="acl", <.meta>; rel="describedBy", <http://www.w3.org/ns/ldp#Resource>; rel="type"
fetch('/', { method: 'OPTIONS' }).then(res => console.log(res.headers.get('link')))
// <https://otman.solid.community/.well-known/solid>; rel="service", <https://solid.community>; rel="http://openid.net/specs/connect/1.0/issuer"

So I believe that it’s an issue of node-solid-server not adding rel="acl" to the link header.

EDIT: For HEAD it works fine. I’m not that familiar with the difference between HEAD and OPTIONS, so probably that should be used instead. If you know more about it just let me know and I’ll change it

2 Likes

I think a HEAD request would be correct as stated in 2.4.3.1. Discovery of Auxiliary Resources

To discover the auxiliary resources directly associated with a given Solid resource, a Solid client MUST issue a HEAD or GET request to the target resource URL and inspect the Link headers in the response.

1 Like

I’ve updated it to use HEAD, can you try it with this version?

2 Likes

Awesome, it’s working :+1: Thanks a lot

1 Like

Hi @A_A sorry to bother you again. Your library has no capability to set a acl:default, or am I missing something?

You can use addDefaultRule(...) instead of addRule(...) to set the default.
https://otto-aa.github.io/solid-acl-parser/#/quickstart?id=working-with-default

Basically you can use everything defined in this map and all methods defined in this class. So if you don’t find a functionality in the documentation you can take a look there (and open a PR to add it to the documentation :))

1 Like

Thanks a lot, sorry I should not have missed that!

Hi @A_A, those libraries are great, as is your pod explorer.
is there any change you can add support for the origin predicate? this would allow trusted apps.

@A_A the issue is that if I create an ACL for a file inheriting (defaulting to) an origin predicate, the subject still points to the default location).

For example, this is what happens to the acl for https://gaia.solid.community/is.darcy/foo.txt after I load the default, amend it, and save it:

@prefix foaf: <http://xmlns.com/foaf/0.1/>.

<#trusted-apps> a acl:Authorization;
    acl:agent </profile/card#me>;
    acl:accessTo <./foo.txt>;
    acl:mode acl:Control, acl:Read, acl:Write.
<https://gaia.solid.community/is.darcy/.acl#trusted-apps> acl:origin <https://localhost>.
<#ControlReadWrite> a acl:Authorization;
    acl:agent </profile/card#me>, <mailto:gaia@foo.co.uk>;
    acl:accessTo <./foo.txt>;
    acl:mode acl:Control, acl:Read, acl:Write.
<#Read-0> a acl:Authorization;
    acl:agent <https://giulio.solid.community/profile/card#me>;
    acl:accessTo <./foo.txt>;
    acl:mode acl:Read.

You can see that the origin predicate still points to the parent.

I tried to bodge it by changing the structure just before saving it, but it does not have a setter, so I was wondering if you were inclined to add origin support.

You can take a look at the new inrupt lib too
Seems quite easy to deal with Acl

https://docs.inrupt.com/client-libraries/solid-client-js/tutorial/manage-access-control-list.html

Looks nice indeed, but seems not to be able to add an origin to a permission, yet.

Doesn’t the new Inrupt Client Library include support for adjusting the ACL?
Or are its abilities not advanced enough? (haven’t gotten a chance to look at it closely yet.)

That’s what @Smag0 and I referred to :wink:

1 Like

Oh wow, completely missed that.
Sorry for the remark then.