A member of a private group can't access a file shared with the group by other member

Question

A member of a private group can't access a file shared with the group by other member

mrkvon opened this issue 2 years ago · 3 comments

By private group we mean a group defined in a file that has permission to be viewed by the group itself (detailed description follows).

The issue

When we

set up three accounts on NSS (v5.7.2) (1, 2, 3),

create a group on the first account, containing all three accounts, defined as follows

@prefix : <#>.
@prefix vcard: <http://www.w3.org/2006/vcard/ns#>.
@prefix p1: <https://grouptest1.solidcommunity.net/profile/card#me>.
@prefix p2: <https://grouptest1.solidweb.org/profile/card#me>.
@prefix p3: <https://grouptest2.solidcommunity.net/profile/card#me>.

:group
    a vcard:Group;
    vcard:hasMember p1:, p2:, p3:.

(a similar group, but public, is here),

give the group permission to view itself (i.e. set up .acl file for the group file as follows)

@prefix : <#>.
@prefix acl: <http://www.w3.org/ns/auth/acl#>.
@prefix c: </profile/card#>.
@prefix priv: <private-group.ttl#>.

:ControlReadWrite
    a acl:Authorization;
    acl:accessTo <private-group.ttl>;
    acl:agent c:me;
    acl:mode acl:Control, acl:Read, acl:Write.
:Read
    a acl:Authorization;
    acl:accessTo <private-group.ttl>;
    acl:agentGroup priv:group;
    acl:mode acl:Read.

(Here we already have a major win, because group members can see the group. Compare to CSS, which currently fails at this task (CommunitySolidServer/CommunitySolidServer#1442) 🎉),

create a document on the second account

@prefix : <https://example.com/>.
:this :is :test.

😄,

give the group permission to view the document (i.e. set up .acl file for the document as follows)

@prefix : <#>.
@prefix acl: <http://www.w3.org/ns/auth/acl#>.
@prefix c: </profile/card#>.
@prefix priv: <https://grouptest1.solidcommunity.net/group-test/private-group.ttl#>.

:ControlReadWrite
    a acl:Authorization;
    acl:accessTo <document-private-group-solidcommunity.ttl>;
    acl:agent c:me;
    acl:mode acl:Control, acl:Read, acl:Write.
:Read
    a acl:Authorization;
    acl:accessTo <document-private-group-solidcommunity.ttl>;
    acl:agentGroup priv:group;
    acl:mode acl:Read.

(this step already failed with the SolidOS, we needed to set up the .acl manually),

and attempt to access the document with the third account,

it fails with 403 Forbidden.

Expected result

A member of a private group (i.e. a group viewable by itself) can read documents that other members share with the group.

Context and motivation

context and more tests here

This bugfix/feature is a necessary step towards fully functional private groups on Solid. E.g. there are non-public Solid groups, and members of the groups can share (sensitive) data with other group members only.

We stumbled upon this issue when developing a hospitality exchange based on Solid (WIP).

Answer 1 · 2022-09-12T09:55:01.000Z

@mrkvon
Adding acl: default to group-test should resolve the problem.

I added your https://grouptest1.solidcommunity.net/profile/card#me
to the groups in https://bourgeoa2.solidcommunity.net/public/grouptest/

There are documents in https://bourgeoa1.solidcommunity.net/public one with publicgroup, one with privategroup

You should be able to read the private document when logged in with https://grouptest1.solidcommunity.net/profile/card#me

Answer 2 · 2022-09-12T15:21:22.000Z

This sounds great! 🪄

I can definitely see the documents when signed in with grouptest1 (and not, when not signed in). 🎉 I don't see either of the groups even when signed in. 🤔 (please note i changed the group path a bit, i didn't find the group files in /public)

@bourgeoa
edit: I found your comments on gitter, will test
Could you perhaps share contents of your https://bourgeoa2.solidcommunity.net/grouptest/publicgroup.ttl.acl, https://bourgeoa2.solidcommunity.net/grouptest/privategroup.ttl.acl, https://bourgeoa1.solidcommunity.net/public/documentgrouptest.ttl.acl and https://bourgeoa1.solidcommunity.net/public/documentprivategrouptest.ttl.acl, please?
edit: And if not included in these files already, tell me where you added that helpful acl:default and how that .acl looked afterwards?

This could help me try it out myself, and get a better understanding how this works.

Thank you!

Answer 3 · 2022-09-12T20:27:00.000Z

@mrkvon Here are the details. Hope this help.

To go on more details we can have a video (with https://meet.jit.si/solid-operating-system) when you are available. I'm on Paris time.

Nota : For your information I did not succeed to use groups on CSS I always have 403 (public or private).
You used the same CSS server
I must try again I'm using CSS webId's from different CSS servers. (I shall rebuild my CSS servers with latest v5.0.0)
I can include CSS webId's in NSS groups and it works

.acl default is in https://bourgeoa2.solidcommunity.net/grouptest/.acl
The idea for it came because at first I experimented using the groups created with the Address book app
https://github.com/SolidOS/userguide#viewing-your-data
and when I used the groups created with it, I was able to view a file with privategroup without a 403
I also remembered lengthy spec discussions on the need to have Read access on a container to access the resources in that container.

@prefix : <#>.
@prefix acl: <http://www.w3.org/ns/auth/acl#>.
@prefix foaf: <http://xmlns.com/foaf/0.1/>.
@prefix gro: <./>.
@prefix c: </profile/card#>.

:ControlReadWrite
    a acl:Authorization;
    acl:accessTo gro:;
    acl:agent c:me, <mailto:alain.bourgeois10@gmail.com>;
    acl:default gro:;
    acl:mode acl:Control, acl:Read, acl:Write.
:Read
    a acl:Authorization;
    acl:accessTo gro:;
    acl:agentClass foaf:Agent;
    acl:default gro:;
    acl:mode acl:Read.

https://bourgeoa2.solidcommunity.net/grouptest/publicgroup.ttl.acl

@prefix : <#>.
@prefix acl: <http://www.w3.org/ns/auth/acl#>.
@prefix c: </profile/card#>.

:owner
    a acl:Authorization;
    acl:accessTo <publicgroup.ttl>;
    acl:agent c:me, <mailto:alain.bourgeois10@gmail.com>;
    acl:mode acl:Control, acl:Read, acl:Write.

https://bourgeoa2.solidcommunity.net/grouptest/privategroup.ttl.acl

@prefix : <#>.
@prefix acl: <http://www.w3.org/ns/auth/acl#>.
@prefix c: </profile/card#>.

:owner
    a acl:Authorization;
    acl:accessTo <privategroup.ttl>;
    acl:agent c:me, <mailto:alain.bourgeois10@gmail.com>;
    acl:mode acl:Control, acl:Read, acl:Write.

:Read
    a acl:Authorization;
    acl:accessTo <private-group.ttl>;
    acl:agentGroup <https://bourgeoa2.solidcommunity.net/grouptest/privategroup.ttl#this>;
    acl:mode acl:Read.

https://bourgeoa1.solidcommunity.net/public/documentgrouptest.ttl.acl

@prefix : <#>.
@prefix acl: <http://www.w3.org/ns/auth/acl#>.
@prefix c: </profile/card#>.
@prefix Sol: <https://solidos.solidcommunity.net/Contacts/Group/SolidOS_Team.ttl#>.

:ControlReadWrite
    a acl:Authorization;
    acl:accessTo <documentgrouptest.ttl>;
    acl:agent c:me;
    acl:mode acl:Control, acl:Read, acl:Write.
:Read
    a acl:Authorization;
    acl:accessTo <documentgrouptest.ttl>;
    acl:agentGroup Sol:this;
    acl:agentGroup <https://bourgeoa2.solidcommunity.net/grouptest/privategroup.ttl#this>;
    acl:mode acl:Read.

https://bourgeoa1.solidcommunity.net/public/documentprivategrouptest.ttl.acl

@prefix : <#>.
@prefix acl: <http://www.w3.org/ns/auth/acl#>.
@prefix c: </profile/card#>.

:ControlReadWrite
    a acl:Authorization;
    acl:accessTo <documentprivategrouptest.ttl>;
    acl:agent c:me;
    acl:mode acl:Control, acl:Read, acl:Write.

:read
    a acl:Authorization;
    acl:accessTo <documentprivategrouptest.ttl>;
    acl:agentGroup <https://bourgeoa2.solidcommunity.net/grouptest/privategroup.ttl#this>;
    acl:mode acl:Read.