Bypass WAC checks for all queries on dataset made by the Pod owner

assemblee-virtuelle · Oct 25, 2024 · a360fb8 · a360fb8
1 parent 8d580e7
commit a360fb8
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 11 deletions.
diff --git a/src/middleware/packages/sparql-endpoint/service.js b/src/middleware/packages/sparql-endpoint/service.js
@@ -25,19 +25,13 @@ const SparqlEndpointService = {
     async query(ctx) {
       const query = ctx.params.query || ctx.params.body;
       const accept = ctx.params.accept || ctx.meta.headers?.accept || this.settings.defaultAccept;
-      let isPodOwner = false;
-
-      if (this.settings.podProvider) {
-        const account = await ctx.call('auth.account.findByWebId', { webId: ctx.meta.webId });
-        isPodOwner = !!account && account.username === ctx.params.username;
-      }
 
       const response = await ctx.call('triplestore.query', {
         query,
         accept,
         dataset: ctx.params.username,
         // In Pod provider config, query as system when the Pod owner is querying his own data
-        webId: isPodOwner || this.settings.ignoreAcl ? 'system' : ctx.meta.webId
+        webId: this.settings.ignoreAcl ? 'system' : ctx.meta.webId
       });
 
       if (ctx.meta.$responseType === undefined) {

diff --git a/src/middleware/packages/webacl/middlewares/webacl.js b/src/middleware/packages/webacl/middlewares/webacl.js
@@ -1,6 +1,6 @@
+const urlJoin = require('url-join');
 const { throw403 } = require('@semapps/middlewares');
-const { arrayOf, hasType, defaultContainerOptions } = require('@semapps/ldp');
-const { ACTIVITY_TYPES } = require('@semapps/activitypub');
+const { arrayOf, defaultContainerOptions } = require('@semapps/ldp');
 const { isRemoteUri, getSlugFromUri } = require('../utils');
 
 const modifyActions = [
@@ -14,6 +14,8 @@ const modifyActions = [
   'ldp.resource.delete'
 ];
 
+const tripleStoreActions = ['triplestore.insert', 'triplestore.query', 'triplestore.update', 'triplestore.dropAll'];
+
 const addRightsToNewResource = async (ctx, resourceUri, webId) => {
   const { newResourcesPermissions } = await ctx.call('ldp.registry.getByUri', { resourceUri });
   const newRights =
@@ -154,8 +156,7 @@ const WebAclMiddleware = ({ baseUrl, podProvider = false, graphName = 'http://se
 
         throw403();
       };
-    }
-    if (modifyActions.includes(action.name)) {
+    } else if (modifyActions.includes(action.name)) {
       return async ctx => {
         const webId = ctx.params.webId || ctx.meta.webId || 'anon';
         let actionReturnValue;
@@ -363,6 +364,19 @@ const WebAclMiddleware = ({ baseUrl, podProvider = false, graphName = 'http://se
 
         return actionReturnValue;
       };
+    } else if (tripleStoreActions.includes(action.name)) {
+      return async ctx => {
+        if (podProvider) {
+          const webId = ctx.params.webId || ctx.meta.webId || 'anon';
+          const dataset = ctx.params.dataset || ctx.meta.dataset;
+
+          // If the webId is the owner of the Pod, bypass WAC checks
+          if (urlJoin(baseUrl, dataset) === webId) {
+            ctx.params.webId = 'system';
+          }
+        }
+        return next(ctx);
+      };
     }
 
     // Do not use the middleware for this action