Remote WAC permissions are stored on local WAC graph

[srosset81]

I've noticed that on v1.5 pod providers, remote WAC permissions are stored on the local WAC graph.

For example, when https://armoise.co/sro give read permissions to https://armoise.co/vicgarou, this appears on the WAC graph of https://armoise.co/vicgarou:

<https://armoise.co/_acl/sro/data/events/d2dfccb5-f082-473c-8731-090a7e4ab575#Read>
        a       <http://www.w3.org/ns/auth/acl#Authorization> ;
        <http://www.w3.org/ns/auth/acl#accessTo>
                <https://armoise.co/sro/data/events/d2dfccb5-f082-473c-8731-090a7e4ab575> ;
        <http://www.w3.org/ns/auth/acl#agent>
                <https://armoise.co/vicgarou> ;
        <http://www.w3.org/ns/auth/acl#mode>
                <http://www.w3.org/ns/auth/acl#Read> .

We should ensure this doesn't happen anymore on v2 pod providers, and we should clean up all these useless triples.

[srosset81]

This is done by the WebAclMiddleware whenerver ldp.remote.store is called:

https://github.com/assemblee-virtuelle/semapps/blob/master/src/middleware/packages/webacl/middlewares/webacl.js#L302-L321

This shouldn't be necessary in a Pod provider config, since the Pod owner is allowed to view all resources.

We should try to disable it in Pod provider config, and see if it breaks something.

[srosset81]

What may also not be necessary, is that cached activities (for example activities received in the inbox) also have read permissions for all users the activity has been sent to.

This allows users reading someone else's inbox to see all activities which were sent to them also... but could we do without this ?

[srosset81]

In the end, it seems that all these permissions make sense. The fact the Pod owner has full permissions on the Pod doesn't mean we shouldn't add other permissions. Especially in the future when we will deal with CODs...