...
- Get the ACL of the requested resource.
- if ACL exists:
- Find union of authorizations that specify access for the requesting user. This includes:
- authorizations that specify accessTo to the requested resource.
- authorizations that specify accessToClass of the requested resource type.
- Find union of authorizations that specify access for the requesting user's group. This includes:
- authorizations that specify accessTo to the requested resource.
- authorizations that specify accessToClass of the requested resource type.
- If authorizations exist for user or group:
- Find the union of authorizations found from steps 1.a.i and 1.a.ii.
- Go to step 4.
- if no authorization exist for user or group:
- Deny Access.
Go to step 2.
- Deny Access.
- Find union of authorizations that specify access for the requesting user. This includes:
- if no ACL exists for requested resource:
- Go to step 2.
- if ACL exists:
- Get the ACL of the next ancestor (using either ldp:contains or fedora:hasParent).
- if ACL exists:
- Find union of authorizations that specify access for the requesting user. This includes:
- authorizations that specify accessTo to the requested resource.
- authorizations that specify accessToClass of the requested resource type.
- Find union of authorizations that specify access for the requesting user's group. This includes:
- authorizations that specify accessTo to the requested resource.
- authorizations that specify accessToClass of the requested resource type.
- If authorizations exist for user or group:
- Find the union of authorizations found from steps 2.a.i and 2.a.ii.
- Go to step 4.
- Find union of authorizations that specify access for the requesting user. This includes:
- authorizations that specify accessTo to the requested resource's ancestor.
- Find union of authorizations that specify access for the requesting user's group. This includes:
- authorizations that specify accessToClass of to the requested resource's ancestor.
- If authorizations exist for user or group:
- Find the union of authorizations found from steps 2.a.iv and 1.a.v.
- Go to step 4.
- if no authorization exist for user or group:
- Deny Access.
Go to step 2.
- Deny Access.
- Find union of authorizations that specify access for the requesting user. This includes:
- if no ACL exists for requested the current ancestor resource:
- Go to step 2.
- if ACL exists:
- If no more ancestor exist (root node reached) and no ACL or no matching authorization is found:
- Deny access.
- Use the most permissive from the set of authorizations found.
- Grant access if the authorizations permit requested access mode (read, write, append).
- Deny access if the authorizations does not permit requested access mode.
...