...
Finding the ACL on a LDPRm (memento):
There are three separate entities at play in this scenario.
- LDPRv - the original resource. Potentially has it's own ACL or has one via inheritance.
- LDPCv - is a full LDPR in and of itself and should have it's own ACL because it's a means of discovery for finding information about mementos.
- LDPRm - is a full LDPR as well, but the existing ACL that it references should maybe not be it's ACL anymore, so that an admin can further change azn to the mementos w/o affecting the original LDPR.
Any ACL that is directly associated with a LDPRm will be ignored, as those could be out of date or no longer in existence. To find the ACL that relates to a LDPRm, follow follow this algorithm:
- First look at the LDPCv for the LDPRm to see if it has an ACL access control triple for memento items associated with it ('memento:accessControl'). If so, stop there and honor that ACL as it will apply to all mementos it contains.
- Otherwise follow the pattern specified by the SOLID WebAC specification for finding an ACL for a LDPRv:
- Use the document's (LDPR) own ACL resource if it exists (in which case, stop here).
- Otherwise, look for authorizations to inherit from the ACL of the document's container. If those are found, stop here.
- Failing that, check the container's sparent container to see if that has its own ACL file, and see if there are any permissions to inherit.
- Failing that, move up the container hierarchy until you find a container with an existing ACL file, which has some permissions to inherit.
- The root container of a user's account MUST have an ACL resource specified. (If all else fails, the search stops there.)
...