5. Resource Authorization- Implementations MUST follow the recommendations of Web Access Control
- acl:agentGroup appears to be implemented, per wiki documentation acl:default is not supported - currently behaves as "acl:default" exists without the acl:default defined.
-
Jira |
---|
server | DuraSpace JIRA |
---|
serverId | c815ca92-fd23-34c2-8fe3-956808caf8c5 |
---|
key | FCREPO-2742 |
---|
|
-
Jira |
---|
server | DuraSpace JIRA |
---|
serverId | c815ca92-fd23-34c2-8fe3-956808caf8c5 |
---|
key | FCREPO-2743 |
---|
|
-
Jira |
---|
server | DuraSpace JIRA |
---|
serverId | c815ca92-fd23-34c2-8fe3-956808caf8c5 |
---|
key | FCREPO-2745 |
---|
|
5.1 ACLs are LDP RDF Sources- An ACL for a controlled resource on a conforming server MUST itself be an LDP-RS.
5.2 ACL Representation and Interpretation (Danny Bernstein) Jira |
---|
server | DuraSpace JIRA |
---|
serverId | c815ca92-fd23-34c2-8fe3-956808caf8c5 |
---|
key | FCREPO-2833 |
---|
|
5.2 ACL Representation and Interpretation (Danny Bernstein) - Implementations MUST inspect the Implementations MUST inspect the ACL RDF for authorizations.
- Implementations MUST use only statements associated with an authorization in the ACL RDF to determine access,
- except in the case of
acl:agentGroup statements where the group listing document is dereferenced.
Jira |
---|
server | DuraSpace JIRA |
---|
serverId | c815ca92-fd23-34c2-8fe3-956808caf8c5 |
---|
key | FCREPO-2275 |
---|
|
- The authorizations MUST be examined to see whether they grant the requested access to the controlled resource.
- If none of the authorizations grant the requested access then the request MUST be denied.
5.3 ACLs are discoverable via Link Headers- A conforming server MUST advertise the individual resource ACL for every controlled resource in HTTP responses with a
rel="acl" link in the Link header, whether or not the ACL exists. - The ACL resource SHOULD be located in the same server as the controlled resource.
5.4 ACL linking on resource creation (Peter Eichman)
- A client HTTP
POST or PUT request to create a new LDPR MAY include a rel="acl" link in the Link header referencing an existing LDP-RS to use as the ACL for the new LDPR.- (Peter Eichman) the
rel="acl" link header for the second LDPR is ignored - (Peter Eichman) instead, the second LDPR's
rel="acl" link is to the /fcr:acl endpoint appended to that LDPR's URI
- The server MUST reject the request and respond with a 4xx or 5xx range status code, such as 409 (Conflict) if it isn't able to create the LDPR with the specified LDP-RS as the ACL.
- (Peter Eichman) see the previous point; a 201 is returned instead of an expected 409 (or other 4xx or 5xx)
- In that response, the restrictions causing the request to fail MUST be described in a resource indicated by a
rel="http://www.w3.org/ns/ldp#constrainedBy" link in the Link response header - These items are silently ignoring the rel="acl" Link header, need to 4xx to change these to .
Jira |
---|
server | DuraSpace JIRA |
---|
serverId | c815ca92-fd23-34c2-8fe3-956808caf8c5 |
---|
key | FCREPO-2822 |
---|
|
5.5 Cross-Domain ACLs ( 5.5 Cross-Domain ACLs (Peter Eichman)
- Implementations MAY restrict support for ACLs to local resources.
- If an implementation chooses to reject requests concerning remote ACLs,
- it MUST respond with a 4xx range status code
- and MUST advertise the restriction with a
rel="http://www.w3.org/ns/ldp#constrainedBy" link in the Link response header.- (Peter Eichman) these are failing in the same manner as the requests in 5.4; the
rel="acl" Link header in the request is silently ignored Jira |
---|
server | DuraSpace JIRA |
---|
serverId | c815ca92-fd23-34c2-8fe3-956808caf8c5 |
---|
key | FCREPO-2822 |
---|
|
5.6 Cross-Domain Group Listings- Implementations MAY restrict support for groups of agents to local Group Listing documents.
- If an implementation chooses to reject requests concerning remote Group Listings,
5.7 Append Mode- In the context of a Fedora implementation,
acl:Append should be understood as operations that only append, such as POST ing to a container, or performing a PATCH that only adds triples.
5.7.1 LDP-RS (Append) - When a client is allowed to perform
acl:Append but not acl:Write operations on an LDP-RS:- A
DELETE request MUST be denied Jira |
---|
server | DuraSpace JIRA |
---|
serverId | c815ca92-fd23-34c2-8fe3-956808caf8c5 |
---|
key | FCREPO-2715 |
---|
|
- A
PATCH A PATCH request that deletes triples MUST be denied Jira |
---|
server | DuraSpace JIRA |
---|
serverId | c815ca92-fd23-34c2-8fe3-956808caf8c5 |
---|
key | FCREPO-2716 |
---|
|
- A
PATCH request that only adds triples SHOULD be allowed Jira |
---|
server | DuraSpace JIRA |
---|
serverId | c815ca92-fd23-34c2-8fe3-956808caf8c5 |
---|
key | FCREPO-2716 |
---|
|
- A
PUT request on an existing resource MUST be denied Jira |
---|
server | DuraSpace JIRA |
---|
serverId | c815ca92-fd23-34c2-8fe3-956808caf8c5 |
---|
key | FCREPO-2717 |
---|
|
- A A
PUT request to create a new resource MUST be allowed if the implementation supports creating resources using PUT Jira |
---|
server | DuraSpace JIRA |
---|
serverId | c815ca92-fd23-34c2-8fe3-956808caf8c5 |
---|
key | FCREPO-2717 |
---|
|
5.7.2 LDPC (Append) - When a client is allowed to perform
acl:Append but not acl:Write operations on an LDPC, a POST request MUST be allowed.
Jira |
---|
server | DuraSpace JIRA |
---|
serverId | c815ca92-fd23-34c2-8fe3-956808caf8c5 |
---|
key | FCREPO-2823 |
---|
|
5.7.3 LDP-NR (Append) - When a client is allowed to perform
acl:Append but not acl:Write operations on an LDP-NR:- All
DELETE , POST , and PUT requests MUST be denied Jira |
---|
server | DuraSpace JIRA |
---|
serverId | c815ca92-fd23-34c2-8fe3-956808caf8c5 |
---|
key | FCREPO-2718 |
---|
|
- A
PATCH request that deletes or modifies existing content MUST be denied - A
PATCH request that only adds content SHOULD be allowed- because LDP-RS attached to LDP-NR are now full resources, I think this ticket should suffice for the previous 2 (Jared Whiklo )
Jira |
---|
server | DuraSpace JIRA |
---|
serverId | c815ca92-fd23-34c2-8fe3-956808caf8c5 |
---|
key | FCREPO-2716 |
---|
|
5.8 Access To Class- The
acl:accessToClass predicate MUST be supported. - When an ACL includes an
acl:accessToClass statement, it gives access to all resources with the specified type, whether that type is client-managed or server-managed. - Implementations MAY use inference to infer types not present in a resource's triples or
rel="type" links in the Link header.
5.9 Inheritance and Default ACLs- Inheritance of ACLs in Fedora implementations MUST be reckoned along the LDP containment relationships linking controlled resources, with the following modification:
- In the case that the controlled resource is uncontained and has no ACL, or that there is no ACL at any point in the containment hierarchy of the controlled resource, then the server MUST supply a default ACL. ACL.
Jira |
---|
server | DuraSpace JIRA |
---|
columns | key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution |
---|
serverId | c815ca92-fd23-34c2-8fe3-956808caf8c5 |
---|
key | FCREPO-2826 |
---|
|
Jira |
---|
server | DuraSpace JIRA |
---|
columns | key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution |
---|
serverId | c815ca92-fd23-34c2-8fe3-956808caf8c5 |
---|
key | FCREPO-2825 |
---|
|
Jira |
---|
server | DuraSpace JIRA |
---|
columns | key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution |
---|
serverId | c815ca92-fd23-34c2-8fe3-956808caf8c5 |
---|
key | FCREPO-2824 |
---|
|
Jira |
---|
server | DuraSpace JIRA |
---|
columns | key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution |
---|
serverId | c815ca92-fd23-34c2-8fe3-956808caf8c5 |
---|
key | FCREPO-2683 |
---|
|
NB: acl:default rather than outdated acl:defaultForNew should be used.
- The default ACL resource SHOULD be located in the same server as the controlled resource.
-
Jira |
---|
server | DuraSpace JIRA |
---|
columns | key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution |
---|
serverId | c815ca92-fd23-34c2-8fe3-956808caf8c5 |
---|
key | FCREPO-2698 |
---|
| acl:default is not supported - currently behaves as "acl:default" exists without the acl:default defined.
|