search

fluree / core

Fluree releases and public bug reports
0 stars 0 forks source link

"read-only" allowance fails (possibly just with `f:allNodes`) #65

Closed aaj3f closed 7 months ago

aaj3f commented 7 months ago

Description

Discovered during testing of fluree/core#61

When creating a read/write role with f:allNodes, queries using that role via opts: { role } behave as expected. HOWEVER, when creating a read-only role with f:allNodes, queries fail to behave as expected, returning [].

This is to say, the following f:Policy allows read-access (and write-access) to all data:

{
    "@context": {
        "ex": "http://example.org/",
        "schema": "http://schema.org/",
        "f": "https://ns.flur.ee/ledger#"
    },
    "ledger": "cookbook/base",
    "insert": {
        "@id": "ex:rootPolicy",
        "@type": ["f:Policy"],
        "f:targetNode": {"@id": "f:allNodes"},
        "f:allow": [
            {
                "@id": "ex:rootAccessAllow",
                "f:targetRole": {"@id": "ex:rootRole"},
                "f:action": [{"@id": "f:view"}, {"@id": "f:modify"}]
            }
        ]
    }
}

But if you simply remove { "@id": "f:modify" }, then the same role has no read-access to the data:

{
    "@context": {
        "ex": "http://example.org/",
        "schema": "http://schema.org/",
        "f": "https://ns.flur.ee/ledger#"
    },
    "ledger": "cookbook/base",
    "insert": {
        "@id": "ex:rootPolicy",
        "@type": ["f:Policy"],
        "f:targetNode": {"@id": "f:allNodes"},
        "f:allow": [
            {
                "@id": "ex:rootAccessAllow",
                "f:targetRole": {"@id": "ex:rootRole"},
                "f:action": [{"@id": "f:view"}] // this is the only line that changed
            }
        ]
    }
}

Steps to Reproduce

Create ledger

{
    "@context": {
        "ex": "http://example.org/",
        "schema": "http://schema.org/"
    },
    "ledger": "cookbook/base",
    "insert": [
        {
            "@id": "ex:freddy",
            "@type": "ex:Yeti",
            "schema:name": "Freddy"
        },
        {
            "@id": "ex:andrew",
            "@type": "schema:Person",
            "schema:name": "Andrew Johnson"
        }
    ]
}

Add Policy (note f:allNodes & f:view without f:modify)

{
    "@context": {
        "ex": "http://example.org/",
        "schema": "http://schema.org/",
        "f": "https://ns.flur.ee/ledger#"
    },
    "ledger": "cookbook/base",
    "insert": {
        "@id": "ex:rootPolicy",
        "@type": ["f:Policy"],
        "f:targetNode": {"@id": "f:allNodes"},
        "f:allow": [
            {
                "@id": "ex:rootAccessAllow",
                "f:targetRole": {"@id": "ex:rootRole"},
                "f:action": [{"@id": "f:view"}]
            }
        ]
    }
}

Query as ex:rootRole (note that if we had used f:view AND f:allow on the policy, this query succeeds)

{
    "@context": {
        "schema": "http://schema.org/",
        "ex": "http://example.org/"
    },
    "from": "cookbook/base",
    "where": {
        "@id": "?s",
        "schema:name": "?name"
    },
    "select": {
        "?s": ["*"]
    },
    "opts": {
        "role": "ex:rootRole"
    }
}

// =>

[]