You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Make the ACL generators emit relative acl:agent URIs when the owner WebID is hosted under the same pod. Update callers in src/handlers/container.js and src/server.js (createRootPodStructure) accordingly. The parser already resolves relative agent URIs against the ACL document URL — proven by PR #65 (bdbbbb7) which closed #64.
Generators in scope:
generateOwnerAcl
generatePrivateAcl
generateInboxAcl
generatePublicFolderAcl
(generatePublicReadAcl has no agent — unaffected.)
Concrete change
Each generator currently takes ownerWebId (absolute) and emits:
'acl:agent': {'@id': ownerWebId},
…and the caller passes ${podUri}profile/card.jsonld#me. After Phase 2:
Caller passes the relative form: './profile/card.jsonld#me' (root pod) or './<name>/profile/card.jsonld#me' resolved against the .acl URL.
Generator emits it verbatim.
Important asymmetry: the WebID as published in the user's profile (/profile/card.jsonld#me document body) stays absolute — that's the global identifier other servers dereference. Only the in-ACL reference becomes relative.
Why
After Phase 1, public read works across hosts. Owner read/write only works on the canonical host because acl:agent is still baked-in absolute. Making it relative:
Lets owner read/write work cross-host on the same machine (when the user authenticates against whichever host they're hitting).
Makes the on-disk pod truly portable — operators can move a pod to a new domain without rewriting ACLs.
Doesn't fix the cross-host auth case (token issued by host A, request to host B) — that's Phase 4.
Tests
Unit: each affected generator emits the relative agent form when given a relative input.
Round-trip: parser resolves ./profile/card.jsonld#me against http://anyhost/.acl to http://anyhost/profile/card.jsonld#me.
Phase 2 of the umbrella plan in #427.
Scope
Make the ACL generators emit relative
acl:agentURIs when the owner WebID is hosted under the same pod. Update callers insrc/handlers/container.jsandsrc/server.js(createRootPodStructure) accordingly. The parser already resolves relative agent URIs against the ACL document URL — proven by PR #65 (bdbbbb7) which closed #64.Generators in scope:
generateOwnerAclgeneratePrivateAclgenerateInboxAclgeneratePublicFolderAcl(
generatePublicReadAclhas no agent — unaffected.)Concrete change
Each generator currently takes
ownerWebId(absolute) and emits:…and the caller passes
${podUri}profile/card.jsonld#me. After Phase 2:'./profile/card.jsonld#me'(root pod) or'./<name>/profile/card.jsonld#me'resolved against the .acl URL.Important asymmetry: the WebID as published in the user's profile (
/profile/card.jsonld#medocument body) stays absolute — that's the global identifier other servers dereference. Only the in-ACL reference becomes relative.Why
After Phase 1, public read works across hosts. Owner read/write only works on the canonical host because
acl:agentis still baked-in absolute. Making it relative:Doesn't fix the cross-host auth case (token issued by host A, request to host B) — that's Phase 4.
Tests
./profile/card.jsonld#meagainsthttp://anyhost/.acltohttp://anyhost/profile/card.jsonld#me.Host:rewrites used in Phase 1: emit relative acl:accessTo / acl:default in ACL generators (#427) #428's cross-host portability test.Acceptance
acl:agentwhen callers pass it.container.jsandserver.js.Out of scope
Refs #427.