Updating ACL of file through Web UI

[pheyvaer]

Hi,

I'm trying to update the ACL file of a file on my https://solid.community POD. The file is called ping.ttl and I see the ACL file ping.ttl.acl. However, when I edit the file via the Web UI and try to save it get the following error: Error saving back: Error: Web error: 403 (Forbidden) on PUT of <https://ph2.solid.community/public/ping.ttl.acl>.

[timbl]

Are you using the source editor pane to directly edit the ACL file ping.ttl.acl, or using the permissions pane on ping.ttl? In either case the 403 error is strange, f the file is one you own should should have the ability to control access to ping.ttl, ie change ping.ttl.acl .

[timbl]

Strange. I wonder whether the top level ACL on your top folder has been damaged.

[pheyvaer]

I tried editing directly ping.ttl.acl. This gave the 403. I tried with the permissions pane, but there I have no idea how to actually add something. I'm only able to see the current permissions. Is there a button that I'm missing here?

[timbl]

No, the UI is all rough around the edges... the UI works wit drag and drop

[timbl]

Is the UI sharing pane you are looking at black and white or colored?

[timbl]

If black and white, then uou need to press the button to allow specific control of this file|folder

[pheyvaer]

This is what I get. I guess that is the color version?

I would like for example add someone to the 'submitters'.

[timbl]

Looks good

[timbl]

If youdrag the globe up from the green bar to the red bar tehn that wiol give everyone write access as well as read acess

[pheyvaer]

This results in the following error: ACL file save failed: Web error: 403 (Forbidden) on PUT of <https://ph2.solid.community/public/ping.ttl.acl>

[timbl]

You can go so someone's webif in the browser ad then drag that url from the browser into the ACL panel

the URL bar drags by dragging the padlock icon

[timbl]

Hmph Bizarre. You seem to be logged in as PH2, you should be able to control sharing.

[timbl]

That should wrk

[timbl]

I'll ask @kjetilk

[kjetilk]

@pheyvaer could you please paste your ping.ttl.acl?

[pheyvaer]

@prefix : <#>.
@prefix n0: <http://www.w3.org/ns/auth/acl#>.
@prefix c: </profile/card#>.
@prefix n1: <http://xmlns.com/foaf/0.1/>.

:owner
n0:accessTo <ping.ttl>; n0:agent c:me; n0:mode n0:Control, n0:Read, n0:Write.
:public n0:accessTo <ping.ttl>; n0:agentClass n1:Agent; n0:mode n0:Read.

I was able to get this via the 'data as N3' button, but the 'source' button gave me also a 403.

[kjetilk]

OK, that's pretty weird... Because I get a 401 Unauthorized when I GET ping.ttl, and I should at least have read to that... We have real bug here, that's for sure.

So, the current code defaults to deny for any error it encounters, which also makes it harder to debug... For example, if there is a syntax error in any ACL file in the tree, that could have this effect. This file is certainly valid, so could you please paste the ACL files upwards in the tree? That should be /public/.acl and /.acl?

[timbl]

Did you try to edit the ACL file by hand at any time? (Only possible thing I can think of just now is that the ACL file exists but is badly formatted with parse errors, and the server defaults to being safe and so denies access.)

[pheyvaer]

@kjetilk /public/.acl contains the following:

# ACL resource for the public folder
@prefix acl: <http://www.w3.org/ns/auth/acl#>.
@prefix foaf: <http://xmlns.com/foaf/0.1/>.

# The owner has all permissions
<#owner>
    a acl:Authorization;
    acl:agent <https://ph2.solid.community/profile/card#me>;
    acl:accessTo <./>;
    acl:defaultForNew <./>;
    acl:mode acl:Read, acl:Write, acl:Control.

# The public has read permissions
<#public>
    a acl:Authorization;
    acl:agentClass foaf:Agent;
    acl:accessTo <./>;
    acl:defaultForNew <./>;
    acl:mode acl:Read.

/.acl contains the following:

# Root ACL resource for the user account
@prefix acl: <http://www.w3.org/ns/auth/acl#>.

<#owner>
    a acl:Authorization;

    acl:agent <https://ph2.solid.community/profile/card#me> ;

    # Optional owner email, to be used for account recovery:
    acl:agent <mailto:pheyvaer.heyvaert@ugent.be>;

    # Set the access to the root storage folder itself
    acl:accessTo </>;

    # All resources will inherit this authorization, by default
    acl:defaultForNew </>;

    # The owner has all of the access modes allowed
    acl:mode
        acl:Read, acl:Write, acl:Control.

# Data is private by default; no other agents get access unless specifically
# authorized in other .acls

@timbl I've tried it by hand via the UI, but that never got saved. So all should be unchanged.

[kjetilk]

Right, they validate as Turtle here... I think we need to look at the server logs for this, I don't know how much detail we have there though.

[kidehen]

@pheyvaer ,

When you save manually, via the editing tool initialized by clicking </> from the data browser control strip, you have to do the following to enact the "save" operation:

1. Click on the green check icon
2. Refresh the page loaded to your browser (CTRL+R forced refresh)
3. Navigate back to document location in the data browser tree

You should see your modifications if the operation was successful. If it wasn't successful, you would see a 403 which would be ACL test failure related.

[kjetilk]

@pheyvaer could you please register an account on https://dev.inrupt.net/ and try it out there?

That's now running the latest beta, and is a test environment. So, don't put anything you want to keep there, but it is intended for testing stuff like this.

[pheyvaer]

Ok so I tested it again. This is what I did

1. Create /public/test.ttl
2. Click "Sharing" button

I get the following error in the browser

Error reading ACL. status Can't get headers to find ACL for <https://>: Failed to load <https://> Fetcher: fetch failed: TypeError: Type error status: 999: ( No ACL pointer https:// Can't get headers to find ACL for <https://>: Failed to load <https://> Fetcher: fetch failed: TypeError: Type error status: 999)undefined

[kjetilk]

Where was that @pheyvaer ? There have been pretty big changes, so I need to know the version of the server you are interacting with.

[pheyvaer]

At https://dev.inrupt.net, as you asked. I tried it like 5 hours ago (at the time of my previous comment).

[kjetilk]

Right, thanks!

But doesn't that look as a frontend problem, since it appears to have botched the URL? That error can't come from the server, since the fetcher clearly doesn't have the URL? So, there are some frontend stuff in the server, but I don't know that part well enough, could this be somewhere else in the frontend?

/cc @RubenVerborgh , @megoth

Or is it something on the client side that relies on being told where to put it?

[megoth]

I've been able to reproduce this on dev.inrupt.net and on my local dev-setup. The problem seems to come from the fact that there is no ACL-file for the file directly (the XHR-call returns a 404). It might be that the sharing pane is not working as intended because of changes in v5.

I'll take a closer look at this tomorrow (hopefully I get time).

[kjetilk]

Since it was originally reported on solid.community, it is probably not directly related to v5. I just found https://github.com/solid/solid/issues/235 , perhaps there is something in the base URI setting code somewhere?