What is the best way to find out app's access rights?

Hello, I am trying to find the most efficient way to determine what access right does the application have to the user’s POD (NSS and CSS servers).
I know that this info is stored in the user’s webID Profile document under acl:trustedApp predicate, but when I try to check in what form this is stored, it shows an array of blank nodes, and I am not sure how to extract data from it.

AFAIK, acl:trustedApp is only available on NSS. It is in addition to the normal ACL process, not a replacement for it. It should only be used by authorization or fixer apps, not by normal apps. You can’t know “what access rights does an application have to the user’s POD” because ACL rights are per resource not per pod though trustedApps partially gets around that to decalare pod-wide rights.

The triples are in this form :

<#me> acl:trustedApp
                acl:mode acl:Append, acl:Control, acl:Read, acl:Write;
                acl:origin <http://example.org>

This says that the WebID owner grants acl:trustedApp status to apps coming from the origin “http://example.org” for purposes of Append, Control, Read, and Write.

So, to find out all the permissions granted via acl:trustedApp to appX, look for statements that have the acl:trustedApp predicate, examine the object of its object. (i.e. you don’t care that the subject is a blank-node, only that the object of the agent or agentClass triples is the origin of appX.)

Unfortunately, at the moment, there is no spec covering how an app gains permission either pod-wide or to a specific resource. The mechanisms for the user to grant permissions are covered, but not the process where an app requests and receives specific permissions. NSS, CSS, ESS, each have different mechanisms. I mispoke above about NSS being the only one that supports acl:trustedApp, Trinpod does also. The interoperability panel is proposing a new spec to cover these issues but, as of now, there is no single interoperable solution.