A member of a private group can't access a file shared with the group by other member
mrkvon opened this issue ยท 3 comments
By private group we mean a group defined in a file that has permission to be viewed by the group itself (detailed description follows).
The issue
When we
- set up three accounts on NSS (v5.7.2) (1, 2, 3),
- create a group on the first account, containing all three accounts, defined as follows
(a similar group, but public, is here),
@prefix : <#>. @prefix vcard: <http://www.w3.org/2006/vcard/ns#>. @prefix p1: <https://grouptest1.solidcommunity.net/profile/card#me>. @prefix p2: <https://grouptest1.solidweb.org/profile/card#me>. @prefix p3: <https://grouptest2.solidcommunity.net/profile/card#me>. :group a vcard:Group; vcard:hasMember p1:, p2:, p3:.
- give the group permission to view itself (i.e. set up .acl file for the group file as follows)
(Here we already have a major win, because group members can see the group. Compare to CSS, which currently fails at this task (CommunitySolidServer/CommunitySolidServer#1442) ๐),
@prefix : <#>. @prefix acl: <http://www.w3.org/ns/auth/acl#>. @prefix c: </profile/card#>. @prefix priv: <private-group.ttl#>. :ControlReadWrite a acl:Authorization; acl:accessTo <private-group.ttl>; acl:agent c:me; acl:mode acl:Control, acl:Read, acl:Write. :Read a acl:Authorization; acl:accessTo <private-group.ttl>; acl:agentGroup priv:group; acl:mode acl:Read.
- create a document on the second account
๐,
@prefix : <https://example.com/>. :this :is :test.
- give the group permission to view the document (i.e. set up .acl file for the document as follows)
(this step already failed with the SolidOS, we needed to set up the .acl manually),
@prefix : <#>. @prefix acl: <http://www.w3.org/ns/auth/acl#>. @prefix c: </profile/card#>. @prefix priv: <https://grouptest1.solidcommunity.net/group-test/private-group.ttl#>. :ControlReadWrite a acl:Authorization; acl:accessTo <document-private-group-solidcommunity.ttl>; acl:agent c:me; acl:mode acl:Control, acl:Read, acl:Write. :Read a acl:Authorization; acl:accessTo <document-private-group-solidcommunity.ttl>; acl:agentGroup priv:group; acl:mode acl:Read.
- and attempt to access the document with the third account,
it fails with 403 Forbidden
.
Expected result
A member of a private group (i.e. a group viewable by itself) can read documents that other members share with the group.
Context and motivation
This bugfix/feature is a necessary step towards fully functional private groups on Solid. E.g. there are non-public Solid groups, and members of the groups can share (sensitive) data with other group members only.
We stumbled upon this issue when developing a hospitality exchange based on Solid (WIP).
@mrkvon
Adding acl: default
to group-test
should resolve the problem.
I added your https://grouptest1.solidcommunity.net/profile/card#me
to the groups in https://bourgeoa2.solidcommunity.net/public/grouptest/
There are documents in https://bourgeoa1.solidcommunity.net/public
one with publicgroup, one with privategroup
You should be able to read the private document when logged in with https://grouptest1.solidcommunity.net/profile/card#me
This sounds great! ๐ช
I can definitely see the documents when signed in with grouptest1
(and not, when not signed in). ๐ I don't see either of the groups even when signed in. ๐ค (please note i changed the group path a bit, i didn't find the group files in /public)
@bourgeoa
edit: I found your comments on gitter, will test
Could you perhaps share contents of your https://bourgeoa2.solidcommunity.net/grouptest/publicgroup.ttl.acl, https://bourgeoa2.solidcommunity.net/grouptest/privategroup.ttl.acl, https://bourgeoa1.solidcommunity.net/public/documentgrouptest.ttl.acl and https://bourgeoa1.solidcommunity.net/public/documentprivategrouptest.ttl.acl, please?
edit: And if not included in these files already, tell me where you added that helpful acl:default
and how that .acl
looked afterwards?
This could help me try it out myself, and get a better understanding how this works.
Thank you!
@mrkvon Here are the details. Hope this help.
To go on more details we can have a video (with https://meet.jit.si/solid-operating-system)
when you are available. I'm on Paris time.
Nota : For your information I did not succeed to use groups on CSS I always have 403 (public or private).
You used the same CSS server
I must try again I'm using CSS webId's from different CSS servers. (I shall rebuild my CSS servers with latest v5.0.0)
I can include CSS webId's in NSS groups and it works
- .acl default is in
https://bourgeoa2.solidcommunity.net/grouptest/.acl
The idea for it came because at first I experimented using the groups created with theAddress book app
https://github.com/SolidOS/userguide#viewing-your-data
and when I used the groups created with it, I was able to view a file with privategroup without a 403
I also remembered lengthy spec discussions on the need to have Read access on a container to access the resources in that container.
@prefix : <#>.
@prefix acl: <http://www.w3.org/ns/auth/acl#>.
@prefix foaf: <http://xmlns.com/foaf/0.1/>.
@prefix gro: <./>.
@prefix c: </profile/card#>.
:ControlReadWrite
a acl:Authorization;
acl:accessTo gro:;
acl:agent c:me, <mailto:alain.bourgeois10@gmail.com>;
acl:default gro:;
acl:mode acl:Control, acl:Read, acl:Write.
:Read
a acl:Authorization;
acl:accessTo gro:;
acl:agentClass foaf:Agent;
acl:default gro:;
acl:mode acl:Read.
@prefix : <#>.
@prefix acl: <http://www.w3.org/ns/auth/acl#>.
@prefix c: </profile/card#>.
:owner
a acl:Authorization;
acl:accessTo <publicgroup.ttl>;
acl:agent c:me, <mailto:alain.bourgeois10@gmail.com>;
acl:mode acl:Control, acl:Read, acl:Write.
@prefix : <#>.
@prefix acl: <http://www.w3.org/ns/auth/acl#>.
@prefix c: </profile/card#>.
:owner
a acl:Authorization;
acl:accessTo <privategroup.ttl>;
acl:agent c:me, <mailto:alain.bourgeois10@gmail.com>;
acl:mode acl:Control, acl:Read, acl:Write.
:Read
a acl:Authorization;
acl:accessTo <private-group.ttl>;
acl:agentGroup <https://bourgeoa2.solidcommunity.net/grouptest/privategroup.ttl#this>;
acl:mode acl:Read.
@prefix : <#>.
@prefix acl: <http://www.w3.org/ns/auth/acl#>.
@prefix c: </profile/card#>.
@prefix Sol: <https://solidos.solidcommunity.net/Contacts/Group/SolidOS_Team.ttl#>.
:ControlReadWrite
a acl:Authorization;
acl:accessTo <documentgrouptest.ttl>;
acl:agent c:me;
acl:mode acl:Control, acl:Read, acl:Write.
:Read
a acl:Authorization;
acl:accessTo <documentgrouptest.ttl>;
acl:agentGroup Sol:this;
acl:agentGroup <https://bourgeoa2.solidcommunity.net/grouptest/privategroup.ttl#this>;
acl:mode acl:Read.
@prefix : <#>.
@prefix acl: <http://www.w3.org/ns/auth/acl#>.
@prefix c: </profile/card#>.
:ControlReadWrite
a acl:Authorization;
acl:accessTo <documentprivategrouptest.ttl>;
acl:agent c:me;
acl:mode acl:Control, acl:Read, acl:Write.
:read
a acl:Authorization;
acl:accessTo <documentprivategrouptest.ttl>;
acl:agentGroup <https://bourgeoa2.solidcommunity.net/grouptest/privategroup.ttl#this>;
acl:mode acl:Read.