Return 'wac-allowed' HTTP header with GET & HEAD responses

[dmitrizagidulin]

Problem/Motivation

There is currently no easy way for solid client code to determine if the current user has read/write/delete etc access to a given resource (short of reading and parsing the ACL chain, which is both discouraged, and not always possible due to ACL limitations on the .acl files themselves). (See solid/#45 - No way to find out if user is authorized to write to a container for context.)

Proposed Solution

An easy solution to this would be to add support to LDNode for the following:

With every response, the server should include an additional WAC-Allowe: header in the HTTP response.

For example, doing an unauthenticated HEAD request on a public read-only resource, would yield:

WAC-Allow: user="read", public="read"

Doing an HEAD request (while authenticated) to a resource you have full read/write/control access to:

WAC-Allow: user="read;write;control", public=""

(Note the public="" part -- the empty string denotes no access.)

[dmitrizagidulin]

Updated issue to use Allow: header instead of CORS Allow-Methods

[rhiaro]

+1

[dmitrizagidulin]

Updated to use a custom WAC-Modes-Allowed HTTP header instead of Allow (which sounds like isn't appropriate for authentication-related matters).

[dmitrizagidulin]

Updated it to reflect today's design discussion; return both the permissions of the user, and public permissions.