CSS Inconsistent permission setting for /profile/

[renyuneyun]

Environment

• CSS version: 2.0.1
• Node.js version: v16.13.2
• npm version: 8.1.2

Description

I'm using CSS with mashlib recipe.

When creating a new user (with its own pod/namespace), CSS is able to create the /profile/ folder and the /profile/card file. They seem to be normal -- card is accessible to everyone.

Avatar file permission

However, after uploading an avatar through the web UI (top-right corner --> edit your profile --> edit your profile --> upload), the avatar is not shown -- it appears to be a not found image (or empty, on the top-right corner):

I then realized this is because of permission. Because of issue #113, I can not directly modify the permission through web UI. But manually creating the .acl file (copying and modifying the .acl file for card) makes the avatar appear.

This shows an inconsistent behaviour when creating the card and the avatar file -- one has its own .acl created, while the other doesn't.

/profile/ folder permission between CSS and NSS

But there is also an issue with the permission of /profile/: on solidcommunity.net (running NSS, as told by others), the folder /profile/ is readable by everyone; on my CSS instance, the folder /profile/ is only readable (and writable, etc) by myself. This is an inconsistent behaviour between different solid server applications.

This matters, because on solidcommunity.net (NSS), there is no need to have separate .acl file for each file under /profile/. It indeed does not have such separate .acl files there:

But on CSS, because /profile/ is not readable by everyone, contents under it need to have .acl files to be correctly readable by everyone.

User folder permission

The above issues do not happen when the user is created directly using the root of the CSS instance. This is because everyone has every permission for every folder under its name, and all sub-folders (recursively).

[bourgeoa]

There are 2 points in your comments :

• what should be the default CSS pod content at creation when building with mashlib, and can we have our own default ? This is a question for CSS
• how can I edit the ACL's until the 401 issue is resolved ? There are many solutions :
  • inside SolidOS
  • creating a new ACL with the permissions-pane works with ACL validation
  • or editing manually the content with the source-pane at the ACL Url in browser
  • using a resource editor compatible with DPoP authentication. Like
  • penny
  • solid-ide with ACL validation
  • podpro

[bourgeoa]

You can participate in https://gitter.im/solid/solidos chat and all gitter.im/solid chats Or join our weekly SolidOS meeting on Thursday at 6 pm CET For more information https://solidos.solidcommunity.net

[renyuneyun]

Thanks for the information. I presume the avatar file should be given read permission to everyone, because it is created by the web UI? Shall I report this part to CSS repo?

Thanks for the tips for the editors. I tried some previously, but did not found the ACL in them (e.g. solid-ide, penny). Trying penny again this time found that. Not sure what "through ACL validation" means... At least in CSS with mashlib, the 401 issue makes the "sharing" pane not working.

Glad to know the relevant chat channel. I saw different channels through the web page, but was hesitating of which one to choose. I'll try to participate in the meeting if possible :)

[renyuneyun]

After having more experience with Solid, I believe the problem in this thread can be simplified as:

When uploading an avatar through Mashlib/SolidOS, it should set up the read permission of the avatar file for everyone.

This should be either

• It tested that the avatar file by default is readable by everyone (e.g. parent folder is readable by everyone), so no need for special settings.
• It tested that the avatar file by default is not readable by everyone (e.g. parent folder is not readable by everyone), so it sets the specific permissions for the avatar file.

Surely this can be deemed as "user's responsibility". But then there is no point of having the avatar uploading functionality in Mashlib/SolidOS too.