Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

createAclFromFallbackAcl copies over a default block that confuses NSS #1035

Open
RubenVerborgh opened this issue May 12, 2021 · 9 comments
Open

createAclFromFallbackAcl copies over a default block that confuses NSS #1035

RubenVerborgh opened this issue May 12, 2021 · 9 comments
Labels
bug Something isn't working

Comments

@RubenVerborgh
Copy link

When using createAclFromFallbackAcl on a document, it copies over acl:default triples (which only apply to containers), which it seems to do so by creating separate blocks for acl:accessTo and acl:default.
This confuses NSS, which then blocks access to the document under certain circumstances.
@RubenVerborgh RubenVerborgh added the bug Something isn't working label May 12, 2021
@Vinnl
Copy link
Contributor

Vinnl commented May 12, 2021

Thanks for reporting that Ruben. As far as I can see it should add both acl:accessTo and acl:default to the same Rule, so that's something to investigate indeed.

I suppose we should also report this as a bug against NSS? Even with the creation of separate Rules, I don't see anything in the spec that says that that shouldn't work, I think?

@RubenVerborgh RubenVerborgh mentioned this issue May 12, 2021
Open
@RubenVerborgh
Copy link
Author

I suppose we should also report this as a bug against NSS?

Yes: nodeSolidServer/node-solid-server#1596

However, the "circumstances" mentioned above are hard to reproduce, so probably a lot of effort to fix there.

@bourgeoa
Copy link

I do not understand why createAclFromFallbackAcl do not filter out acl:default predicate when creating a non container ACL.

Anyhow can under certain circumstances be more explicit or at least have an example of the ACL created.

@RubenVerborgh
Copy link
Author

I do not understand why createAclFromFallbackAcl do not filter out acl:default predicate when creating a non container ACL.

It probably doesn't know whether it's creating an ACL for a document or a container without making a network request first.

Anyhow can under certain circumstances be more explicit or at least have an example of the ACL created.

Unfortunately, I'm just the messenger here. I've observed the bug happen in someone else's environment, and saw that removing default made it work. The root cause is that the ACL parsing code is not very optimal, I'm afraid.

@bourgeoa
Copy link

It probably doesn't know whether it's creating an ACL for a document or a container without making a network request first.

This is not possible the acl:accessTo object points to a document or a container.

@RubenVerborgh
Copy link
Author

It probably doesn't know whether it's creating an ACL for a document or a container without making a network request first.

This is not possible the acl:accessTo object points to a document or a container.

Indeed. And how do you find out which of those that is? You ask the server 🙂

@bourgeoa
Copy link

bourgeoa commented May 13, 2021
edited

You can use the / semantic which is a MUST

@RubenVerborgh
Copy link
Author

The server normalizes though. Not sure how strictly we are enforcing yet.

@bourgeoa
Copy link

Since PUT to create a container has been added to NSS a strict enforcement of / semantic has been implemented. No example of missing case has been reported either by test or user, but never say never.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Vinnl @RubenVerborgh @bourgeoa