Closed michielbdejong closed 2 years ago
I had a look in the code, and when trying to create c1/c2/c3/c4/r
, there is a check whether c1/c2/c3/c4/r
exists, and if not, the "parentAcl" (that of c1/c2/c3/c4/
) is retrieved and correctly checked for Append-or-Write access, as it is required for the creation of c1/c2/c3/c4/r
itself.
What is not checked is whether the client has permissions to create c1/
, c1/c2/
, c1/c2/c3/
and c1/c2/c3/c4/
.
Working on a fix for this in my fork of CSS.
The PermissionBasedAuthorizer has access to a resourceSet where it can check if a resource exists.
Maybe it should also get an identifierStrategy so it can determine parent paths
But it can't return anything other than Promise<void>
.
I tried injecting an identifierStrategy and a resourceSet into the AuthorizingHttpHandler but that led to strange errors. Even if I just add them in the componentsjs config and not use them, it thinks all requests come from an unauthenticated user and rejects them.
Will maybe try again some other day. If I get it working I'll publish it as a spec-compliant fork of CSS (unfortunately we can't fix it in CSS itself since team has asked not be contacted, so we can't create PRs there).
can't fix it in CSS itself since team has asked not be contacted, so we can't create PRs there
That's absurd. If they haven't archived the repo, it's entirely legitimate to create PRs. If they won't merge code fixes, it would be reasonable to submit PR against their README that point to more lively fork(s).
Environment
CSS v4.0.1, node v12.19.1, npm v6.14.8
Description
Save this as
acl.ttl
which gives any agent read-only access to the server root, and read-write access to any contained resources:And upload it to a newly started CSS v4.0.1 instance using:
curl -v -X PUT -H 'Content-Type: text/turtle' -T acl.ttl http://localhost:3000/.acl
Now try these commands:
The first will give a 401, the second a 201. And indeed, if you then run
curl http://localhost:3000/
you will see that although the creation of/test.txt
was blocked correctly, the creation of a/nested
folder in the pod root was not prevented:However, the spec says that creating that
nested/
folder should have require Write or Append on /. Is WAC not enforced for the "mkdir -p" behaviour of creating nested folders?