Merge branch 'main' into appendPutNewDocument

Author: bourgeoa

.github/workflows/ci.yml

@@ -17,7 +17,7 @@ jobs:
 
     strategy:
       matrix:
-        node-version: [12.x, 14.x, 16.x]
+        node-version: [16.x, 18.x]
         os: [ubuntu-latest]
 
     steps:
@@ -97,4 +97,4 @@ jobs:
           build-args: SOLID_SERVER_VERSION=${{ steps.tagName.outputs.version }}
           push: true
           tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
+          labels: ${{ steps.meta.outputs.labels }}

lib/acl-checker.js

@@ -28,7 +28,14 @@ class ACLChecker {
   constructor (resource, options = {}) {
     this.resource = resource
     this.resourceUrl = new URL(resource)
-    this.agentOrigin = options.strictOrigin && options.agentOrigin ? rdf.sym(options.agentOrigin) : null
+    this.agentOrigin = null
+    try {
+      if (options.strictOrigin && options.agentOrigin) {
+        this.agentOrigin = rdf.sym(options.agentOrigin)
+      }
+    } catch (e) {
+      // noop
+    }
     this.fetch = options.fetch
     this.fetchGraph = options.fetchGraph
     this.trustedOrigins = options.strictOrigin && options.trustedOrigins ? options.trustedOrigins.map(trustedOrigin => rdf.sym(trustedOrigin)) : null

lib/handlers/allow.js

@@ -72,9 +72,10 @@ function allow (mode) {
       }
     }
 
-    // check user is owner. Find owner from /.meta
-    if (resourceUrl.endsWith('.acl') && userId === await ldp.getOwner(req.hostname)) return next()
-
+    // check if user is owner. Check isOwner from /.meta
+    try {
+      if (resourceUrl.endsWith('.acl') && (await ldp.isOwner(userId, req.hostname))) return next()
+    } catch (err) {}
     const error = req.authError || await req.acl.getError(userId, mode)
     debug(`${mode} access denied to ${userId || '(none)'}: ${error.status} - ${error.message}`)
     next(error)

lib/handlers/patch.js

@@ -143,8 +143,6 @@ async function checkPermission (request, patchObject, resourceExists) {
   // Now that we know the details of the patch,
   // we might need to perform additional checks.
   let modes = []
-  // acl:default Write is required for create when resource exists
-  if (resourceExists) modes = ['Write']
   const { acl, session: { userId } } = request
   // Read access is required for DELETE and WHERE.
   // If we would allows users without read access,
@@ -164,7 +162,7 @@ async function checkPermission (request, patchObject, resourceExists) {
   if (!allAllowed) {
     // check owner with Control
     const ldp = request.app.locals.ldp
-    if (request.path.endsWith('.acl') && userId === await ldp.getOwner(request.hostname)) return Promise.resolve(patchObject)
+    if (request.path.endsWith('.acl') && await ldp.isOwner(userId, request.hostname)) return Promise.resolve(patchObject)
 
     const errors = await Promise.all(modes.map(mode => acl.getError(userId, mode)))
     const error = errors.filter(error => !!error)

lib/header.js

@@ -128,7 +128,7 @@ async function addPermissions (req, res, next) {
     getPermissionsFor(acl, null, req),
     getPermissionsFor(acl, session.userId, req)
   ])
-  if (resource.endsWith('.acl') && userPerms === '' && session.userId === await ldp.getOwner(req.hostname)) userPerms = 'control'
+  if (resource.endsWith('.acl') && userPerms === '' && await ldp.isOwner(session.userId, req.hostname)) userPerms = 'control'
   debug.ACL(`Permissions on ${resource} for ${session.userId || '(none)'}: ${userPerms}`)
   debug.ACL(`Permissions on ${resource} for public: ${publicPerms}`)
   res.set('WAC-Allow', `user="${userPerms}",public="${publicPerms}"`)

lib/ldp.js

@@ -454,16 +454,16 @@ class LDP {
   // this is a hack to replace solid:owner, using solid:account in /.meta to avoid NSS migration
   // this /.meta has no functionality in actual NSS
   // comment https://github.com/solid/node-solid-server/pull/1604#discussion_r652903546
-  async getOwner (hostname) {
+  async isOwner (webId, hostname) {
     // const ldp = req.app.locals.ldp
     const rootUrl = this.resourceMapper.resolveUrl(hostname)
     let graph
     try {
       // TODO check for permission ?? Owner is a MUST
       graph = await this.getGraph(rootUrl + '/.meta')
       const SOLID = $rdf.Namespace('http://www.w3.org/ns/solid/terms#')
-      const owner = await graph.any(null, SOLID('account'), $rdf.sym(rootUrl + '/'))
-      return owner.uri
+      const owner = await graph.statementsMatching($rdf.sym(webId), SOLID('account'), $rdf.sym(rootUrl + '/'))
+      return owner.length
     } catch (error) {
       throw new Error(`Failed to get owner from ${rootUrl}/.meta, got ` + error)
     }