Make explicit in spec that when a default resource is served for a container, server should check ACL for that resource about web-access-control-spec HOT 4 OPEN

The authority of a resource determines what the resource refers to - generic or specific. The server manages the association of an ACL resource to a resource, sets any constraints on authorization rules, and determines the requirements of an operation on a resource (which may be conforming to a specific protocol). WAC describes the authorization process, does not restrict, distinguish or relate #access-object resources that is of the kind generic or specific.

I suggest that whether a server associates the same ACL resource to both resource and representation URLs, and whether an ACL resource's Authorization can be checked to match a resource or a representation URL is specified elsewhere (e.g. the Solid Protocol) or deemed to be implementation specific.

from web-access-control-spec.

I do not think the solid spec should govern what is on disk; there might even be no disk or no filesystem.

However, we what we should be concerned about is that, if representations of a resource have their own URL, that they are protected by the same ACLs. Access control should protected resources, not representations.

For example, /foo/ is the main resource, with /foo/index.html or /foo/index.ttl are representations; ACL should be set on /foo/, but also cover representations. However, in this spec, no assumptions regarding representation URLs should be made.

Hence, I think it is important to reopen.
Cross-post of solid/solid-spec#134 (comment).

from web-access-control-spec.

The way I understand it this level of detail shouldn't be in the spec (as discussed in solid/solid-spec#134). So I'll close this issue as well.

from web-access-control-spec.

Indeed, and there is already mention of possible antipatterns in this spec, so there is precedent for pointing out what shouldn't be done.

from web-access-control-spec.