update DELETE

bourgeoa · bourgeoa · commit 6b6257f8f81a · 2024-01-09T17:36:42.000+01:00
diff --git a/lib/acl-checker.js b/lib/acl-checker.js
@@ -5,6 +5,7 @@ const { dirname } = require('path')
 const rdf = require('rdflib')
 const debug = require('./debug').ACL
 // const debugCache = require('./debug').cache
+const debugAccounts = require('./debug').accounts
 const HTTPError = require('./http-error')
 const aclCheck = require('@solid/acl-check')
 const { URL } = require('url')
@@ -55,7 +56,7 @@ class ACLChecker {
     }
     this.messagesCached[cacheKey] = this.messagesCached[cacheKey] || []
 
-    const acl = await this.getNearestACL().catch(err => {
+    const acl = await this.getNearestACL(method).catch(err => {
       this.messagesCached[cacheKey].push(new HTTPError(err.status || 500, err.message || err))
     })
     if (!acl) {
@@ -77,21 +78,7 @@ class ACLChecker {
       parentResource = resource
       if (!thisResource.endsWith('/')) parentResource = rdf.sym(ACLChecker.getDirectory(thisResource))
     }
-    /* let resource = rdf.sym(this.resource)
-    if (this.resource.endsWith('/' + this.suffix)) {
-      resource = rdf.sym(ACLChecker.getDirectory(this.resource))
-    }
-    // If this is an ACL, Control mode must be present for any operations
-    if (this.isAcl(this.resource)) {
-      mode = 'Control'
-      resource = rdf.sym(this.resource.substring(0, this.resource.length - this.suffix.length))
-    } */
-    // If the slug is an acl, reject
-    /* if (this.isAcl(this.slug)) {
-      this.aclCached[cacheKey] = Promise.resolve(false)
-      return this.aclCached[cacheKey]
-    } */
-    let directory = acl.isContainer ? rdf.sym(ACLChecker.getDirectory(acl.docAcl)) : null
+    const directory = acl.isContainer ? rdf.sym(ACLChecker.getDirectory(acl.docAcl)) : null
     const aclFile = rdf.sym(acl.docAcl)
     const aclGraph = acl.docGraph
     const agent = user ? rdf.sym(user) : null
@@ -116,12 +103,14 @@ class ACLChecker {
       accessDenied = accessResult ? false : accessDenied || accessDeniedAccessTo
       // debugCache('accessDenied result ' + accessDenied)
     }
-    function accessDeniedForAccessToParent (mode) {
+    function accessdeniedFromParent (modes) {
       const parentAclDirectory = ACLChecker.getDirectory(acl.parentAcl)
       const parentDirectory = parentResource === parentAclDirectory ? null : rdf.sym(parentAclDirectory)
-      const accessDeniedAccessTo = aclCheck.accessDenied(acl.parentGraph, parentResource, parentDirectory, rdf.sym(acl.parentAcl), agent, [ACL(mode)], agentOrigin, trustedOrigins, originTrustedModes)
-      const accessResult = !accessDenied && !accessDeniedAccessTo
-      accessDenied = accessResult ? false : accessDenied || accessDeniedAccessTo
+      const deniedParent = Promise.all(modes
+        .map(mode => aclCheck.accessDenied(acl.parentGraph, parentResource, parentDirectory, rdf.sym(acl.parentAcl), agent, [ACL(mode)], agentOrigin, trustedOrigins, originTrustedModes)))
+      const accessDeniedParent = deniedParent.reduce((memo, deniedParent) => memo && !deniedParent, true)
+      const accessResult = !accessDenied && !accessDeniedParent
+      accessDenied = accessResult ? false : accessDenied || accessDeniedParent
       // debugCache('accessDenied result ' + accessDenied)
     }
     // For create and update HTTP methods
@@ -137,11 +126,11 @@ class ACLChecker {
     if ((method === 'DELETE')) {
       // if resource and acl have same parent container,
       // then accessTo Write from parent is required
-      if (!directory && aclFile.value.endsWith('/.acl')) directory = rdf.sym(dirname(aclFile.value) + '/')
+      if (!directory && aclFile.value.endsWith('/.acl')) accessdeniedFromParent(['Read', 'Write']) // directory = rdf.sym(dirname(aclFile.value) + '/')
       if ((directory && directory.value === dirname(aclFile.value) + '/')) {
         accessDeniedForAccessTo('Write')
       } else {
-        accessDeniedForAccessToParent('Write')
+        accessdeniedFromParent(['Write'])
       }
     }
 
@@ -169,19 +158,19 @@ class ACLChecker {
   }
 
   // Gets the ACL that applies to the resource
-  async getNearestACL () {
+  async getNearestACL (method) {
     const { resource } = this
     let isContainer = false
     const possibleACLs = this.getPossibleACLs()
     const acls = [...possibleACLs]
     let returnAcl = null
-    // let returnParentAcl = null
+    let returnParentAcl = null
     let parentAcl = null
     let parentGraph = null
     let docAcl = null
     let docGraph = null
     // while (possibleACLs.length > 0 && !returnParentAcl) {
-    while (possibleACLs.length > 0 && !returnAcl) {
+    while (possibleACLs.length > 0 && !returnParentAcl) { // alain returnParentAcl
       const acl = possibleACLs.shift()
       let graph
       try {
@@ -205,30 +194,43 @@ class ACLChecker {
           parentGraph = graph // alain
           returnParentAcl = true
         } */
+        if (method !== 'DELETE') returnParentAcl = true
       } else {
         parentAcl = acl
         parentGraph = graph
-        returnAcl = true
+        returnParentAcl = true
       }
-      // returnParentAcl = true
 
       returnAcl = { docAcl, docGraph, isContainer, parentAcl, parentGraph }
     }
     if (!returnAcl) {
       throw new HTTPError(500, `No ACL found for ${resource}, searched in \n- ${acls.join('\n- ')}`)
     }
+    if (!parentAcl) { // alain is it needed
+      returnAcl.parentAcl = returnAcl.docAcl
+      returnAcl.parentGraph = returnAcl.docGraph
+    }
     const groupNodes = returnAcl.docGraph.statementsMatching(null, ACL('agentGroup'), null)
     const groupUrls = groupNodes.map(node => node.object.value.split('#')[0])
     await Promise.all(groupUrls.map(async groupUrl => {
       try {
         const docGraph = await this.fetch(groupUrl, returnAcl.docGraph)
         this.requests[groupUrl] = this.requests[groupUrl] || docGraph
+        // debugAccounts(this.requests[groupUrl].statementsMatching())
       } catch (e) {} // failed to fetch groupUrl
     }))
-    if (!parentAcl) { // alain is it needed
-      returnAcl.parentAcl = docAcl
-      returnAcl.parentGraph = docGraph
-    }
+    /* groupNodes = returnAcl.parentGraph.statementsMatching(null, ACL('agentGroup'), null)
+    groupUrls = groupNodes.map(node => node.object.value.split('#')[0])
+    await Promise.all(groupUrls.map(async groupUrl => {
+      try {
+        const docGraph = await this.fetch(groupUrl, returnAcl.parentGraph)
+        this.requests[groupUrl] = this.requests[groupUrl] || docGraph
+      } catch (e) {} // failed to fetch groupUrl
+    })) */
+    /* returnAcl.parentAcl = returnAcl.docAcl
+    returnAcl.parentGraph = returnAcl.docGraph
+    */
+    debugAccounts('ALAIN returnACl ' + '\ndocAcl ' + returnAcl.docAcl + '\nparentAcl ' + returnAcl.parentAcl)
     return returnAcl
   }
 
