Hello everyone!
As I understand, anyone can publish anything to anyone’s Linked Data Notification inbox. Is this correct? If so, can I know who sent the notification?
Hello again,
It is hard to explain, so I am writing some code (wip); what wheel am I re-inventing?
2 Likes
This looks very interesting!
When someone sends an activity, Agora validates it, right?
The Solid inbox is for all authenticated agents. Is there a way to check which authenticated agent put the activity in the inbox? For instance, if I bypass Agora and directly post “A likes your activity” as B to the inbox, is there a way to know that the notification is sent by B and not A?
Not for the moment, that’s why your page interested me 
The only way to know is that if I post something, the activity & objects are stored in my outbox where I’m the only one how can write, there is just a notification on Agora’s inbox referencing the activity in my outbox folder.
Not currently, as far as I know. To get around this problem in the SDK, we designed a “core-notification” shape that the React SDK conforms to. This includes a lot of ActivityStream concepts and the core ontology from AS. One of the predicates we use is “actor”, which we use as the person who sent or triggered the notification. Not 100% the same thing, as in theory someone could trigger a notification sent “on behalf” of someone else, but a decent start to address the problem.
The shape can be found here, and if you’re using React there’s a library to create notifications that already uses it under the hood.
1 Like
So all that needs to be done is for the server to check that the authenticated person matches the ActivityStreams actor, right?
Now, in the same scenario, if I authenticate as B and send “B likes your activity, and by the way B is the same as A” to the inbox, it will match the constraint but the problem is still here.
Hello! After trying some things with that, I noticed that it requires full pod control. This is a major problem for me so I will stop here.
For now, the application I have in mind will avoid exchanging private notifications, but I look forward to having the equality between the author in the notification shape and the authenticated webid being validated by the server.
Hi @divoplade I’ve not tested yet but it seems that you not need to give access to all your PoD but to a specific folder with the ‘A’ icon . Perhaps ask node-solid-server devs how it works
Hello! This looks like it could solve the problem! I could add an /MyApplication container, and then ask the user to give my app control over /MyApplication. Now, this topic is a mess so I will create a new one with a more specific question.
Thanx, but the location of this functionality is like the building ordinance in the hitchhikers guide to the galaxy: hidden in a cabinet somewhere almost unreachable. And it’s very unintuitive. No normal user is going to be able to use it and trust it, which is ironic because the functionality is about trust…
1 Like