Fix wrong tests that gave access with default set

Author: kjetilk

lib/acl-checker.js

@@ -55,7 +55,11 @@ class ACLChecker {
       return this.aclCached[cacheKey]
     }
     // console.log('TEST', this.acl)
-    const resource = rdf.sym(this.resource)
+    let resource = rdf.sym(this.resource)
+    if (this.resource.endsWith('/' + this.suffix)) {
+      // Then, the ACL file is for a directory
+      resource = rdf.sym(ACLChecker.getDirectory(this.resource))
+    }
     // const directory = acl.isContainer ? this.resource : null
     const directory = acl.isContainer ? rdf.sym(ACLChecker.getDirectory(acl.acl)) : null
     // console.log(ACLChecker.getDirectory(acl.acl))
@@ -109,45 +113,21 @@ class ACLChecker {
     // let directory = null
     // Create a cascade of reject handlers (one for each possible ACL)
     const possibleACLs = this.getPossibleACLs()
-    const acls = [...possibleACLs]
-    let returnAcl = null
-    while (possibleACLs.length > 0 && !returnAcl) {
-      const acl = possibleACLs.shift()
-      try {
-        const graph = await this.fetch(acl)
-        const relative = resource.replace(acl.replace(/[^/]+$/, ''), './')
-        debug(`Using ACL ${acl} for ${relative}`)
-        returnAcl = { acl, graph, isContainer }
-      } catch (err) {
-        if (err && (err.code === 'ENOENT' || err.status === 404)) {
-          isContainer = true
-          continue
-        } else if (err) {
-          console.error('ERROR IN getNearestACL', err.code, err)
-          debug(err)
-          throw err
-        }
-      }
-    }
-    if (!returnAcl) {
-      throw new HTTPError(403, `No ACL found for ${resource}, searched in \n- ${acls.join('\n- ')}`)
-    }
-    return returnAcl
-    // const nearestACL = possibleACLs.reduce((prevACL, acl) => {
-    //   return prevACL.catch(() => new Promise((resolve, reject) => {
-    //     this.fetch(acl, (err, graph) => {
-    //       if (err && err.code !== 'ENOENT') {
-    //         isContainer = true
-    //         reject(err)
-    //       } else {
-    //         const relative = resource.replace(acl.replace(/[^/]+$/, ''), './')
-    //         debug(`Using ACL ${acl} for ${relative}`)
-    //         resolve({ acl, graph, isContainer })
-    //       }
-    //     })
-    //   }))
-    // }, Promise.reject())
-    // return nearestACL.catch(e => { throw new Error(`No ACL resource found, searched in \n- ${possibleACLs.join('\n- ')}`) })
+    const nearestACL = possibleACLs.reduce((prevACL, acl) => {
+      return prevACL.catch(() => new Promise((resolve, reject) => {
+        this.fetch(acl, (err, graph) => {
+          if (err && err.code !== 'ENOENT') {
+            isContainer = true
+            reject(err)
+          } else {
+            const relative = resource.replace(acl.replace(/[^/]+$/, ''), './')
+            debug(`Using ACL ${acl} for ${relative}`)
+            resolve({ acl, graph, isContainer })
+          }
+        })
+      }))
+    }, Promise.reject())
+    return nearestACL.catch(e => { throw new Error(`No ACL resource found, searched in \n- ${possibleACLs.join('\n- ')}`) })
   }
 
 // Gets all possible ACL paths that apply to the resource

test/integration/acl-oidc-test.js

@@ -247,7 +247,7 @@ describe('ACL with WebID+OIDC over HTTP', function () {
     })
   })
 
-  describe.only('Origin', function () {
+  describe('Origin', function () {
     before(function () {
       rm('/accounts-acl/tim.localhost/origin/test-folder/.acl')
     })
@@ -332,7 +332,6 @@ describe('ACL with WebID+OIDC over HTTP', function () {
         options.headers.origin = origin2
 
         request.head(options, function (error, response, body) {
-          console.log(response)
           assert.equal(error, null)
           assert.equal(response.statusCode, 403)
           assert.equal(response.statusMessage, 'Origin Unauthorized')

test/resources/accounts-acl/tim.localhost/write-acl/.acl

@@ -1,5 +1,6 @@
 <#0>
   a <http://www.w3.org/ns/auth/acl#Authorization>;
   <http://www.w3.org/ns/auth/acl#default> <./> ;
+  <http://www.w3.org/ns/auth/acl#accessTo> <./> ;
   <http://www.w3.org/ns/auth/acl#agent> <https://tim.localhost:7777/profile/card#me> ;
   <http://www.w3.org/ns/auth/acl#mode> <http://www.w3.org/ns/auth/acl#Write>, <http://www.w3.org/ns/auth/acl#Control>.