Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Removing ACL Permission from resource fails using authProvider #1296

Open
Laurin-W opened this issue Aug 14, 2024 · 1 comment
Open

Removing ACL Permission from resource fails using authProvider #1296

Laurin-W opened this issue Aug 14, 2024 · 1 comment
Assignees
@srosset81
Labels
bug Something isn't working

Comments

@Laurin-W
Copy link
Contributor

When I want to remove public read ACL permissions from a resource using the semapps authProvider (removePermission('foaf:Agent', 'acl:agentClass', 'acl:Read');, this fails for me.

The client performs a PUT request on the acl resource which results in an empty ACL resource (at least after filtering in the backend).

The frontend place:

semapps/src/frontend/packages/auth-provider/src/authProvider.js

Lines 353 to 370 in 3839548

const updatedPermissions = json['@graph']
.filter(authorization => !authorization['@id'].includes('#Default'))
.map(authorization => {
const modes = defaultToArray(authorization['acl:mode']);
let agents = defaultToArray(authorization[predicate]);
if (mode && modes.includes(mode) && agents && agents.includes(agentId)) {
agents = agents.filter(agent => agent !== agentId);
}
return { ...authorization, [predicate]: agents };
});
await dataProvider.fetch(aclUri, {
method: 'PUT',
body: JSON.stringify({
'@context': getAclContext(aclUri),
'@graph': updatedPermissions
})
});

Here, all default records are filtered and the result is then replaced with the PUT. Is that intended? When I don't filter them, I get this error: The rights cannot be changed because they are incorrect (triggered in webacl.resource.setRights).

In the backend, it fails here:

semapps/src/middleware/packages/webacl/services/resource/actions/setRights.js

Line 21 in d1620eb

if (newRights.length === 0) throw new MoleculerError('PUT rights cannot be empty', 400, 'BAD_REQUEST');

I suppose, setRights should check for something like a rightsToRemove as well?
@Laurin-W Laurin-W added the bug Something isn't working label Aug 14, 2024
@srosset81
Copy link
Contributor

Permissions management is buggy in many ways, this is why we plan to refactor it entirely in v3

Currently the code prevents a acl:Authorization to be empty. I see it's the same for the PATCH operation. I don't know if it would work if we allowed empty authorizations.

What do you need to change rights for ? In Welcome to my place, all permissions changes are made on the backend and it works pretty well. See for example https://github.com/activitypods/welcometomyplace/blob/v2.0/backend/services/locations.service.js

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@srosset81 srosset81

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@srosset81 @Laurin-W