Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[discuss] should we switch to requiring container-write instead of resource-write permissions for delete? #47

Closed
michielbdejong opened this issue May 16, 2019 · 4 comments
Closed

[discuss] should we switch to requiring container-write instead of resource-write permissions for delete? #47

michielbdejong opened this issue May 16, 2019 · 4 comments
Assignees
@csarven

Comments

@michielbdejong
Copy link
Contributor

This spec clearly states that it requires acl:Write on the resource, but in nodeSolidServer/node-solid-server#729 NSS diverged from the spec.

In nodeSolidServer/node-solid-server#729 (comment) @dmitrizagidulin correctly remarked that this should be made into a spec-level discussion, but it seem that his remark was ignored?

So let's have the discussion now!

Pro change:

  • NSS implementers have already diverged from the spec at this point, and even though they didn't follow process, it would be practical to retro-actively agree with them
  • It aligns WAC more with how the Linux file system works

Con change:

  • All changes cost work, and this one is no exception
  • even though NSS may have made this change, inrupt/pod-server has not, so for the current implementations it's 1 against 1. @acoburn what does your Trellis extension for WAC do on this topic?
  • As remarked in Deleting a file should require write permission on the container nodeSolidServer/node-solid-server#729 (comment), and I agree, the current spec makes more sense.
  • It's weird if DELETE requires different permissions than PUT
  • If we do want to separate the two, it would make more sense to split acl:Write into acl:Create, acl:Update, and acl:Delete.
  • Now that I write this, I realize that the distinction is not just update/delete, it's create/update/delete, which makes it.
@michielbdejong michielbdejong mentioned this issue May 16, 2019
Closed
@RubenVerborgh
Copy link
Contributor

RubenVerborgh commented May 16, 2019
edited
Loading

General note regarding changes:
let us not be influenced too much by what exists. Many things were fast/pragmatic choices, many of which were never discussed or thought through. We still have the luxury of changing things at this point; that luxury will likely have disappeared within a year.

@RubenVerborgh
Copy link
Contributor

RubenVerborgh commented May 16, 2019
edited
Loading

No cherry-picking please 😛

nodeSolidServer/node-solid-server#729 (comment) follows up

@michielbdejong
Copy link
Contributor Author

I have implemented the current spec in pod-server, which means acl:Write on the resource for create, update, as well as delete. So if in this issue we decide to change the spec, that will mean NSS becomes compliant, but pod-server will stop being compliant.

@michielbdejong michielbdejong changed the title Decide what permissions are needed to delete a resource [discuss] should we switch to requiring container-write instead of resource-write permissions for delete? May 17, 2019
@michielbdejong michielbdejong mentioned this issue May 17, 2019
Open
@csarven csarven self-assigned this May 17, 2021
@csarven csarven mentioned this issue Jun 17, 2021
Merged
@csarven
Copy link
Member

csarven commented Jul 8, 2021

Closing this issue as consensus is deemed to be captured in WAC Editor's Draft: https://solid.github.io/web-access-control-spec/ . See #authorization-evaluation #reading-writing-resources #access-mode-extensions . See also #85

@csarven csarven closed this as completed Jul 8, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@csarven csarven

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@michielbdejong @csarven @RubenVerborgh