nodeSolidServer
diff --git a/‎lib/handlers/allow.js‎
Lines changed: 13 additions & 6 deletions b/‎lib/handlers/allow.js‎
Lines changed: 13 additions & 6 deletions
diff --git a/‎lib/handlers/patch.js‎
Lines changed: 5 additions & 2 deletions b/‎lib/handlers/patch.js‎
Lines changed: 5 additions & 2 deletions
diff --git a/‎lib/header.js‎
Lines changed: 4 additions & 2 deletions b/‎lib/header.js‎
Lines changed: 4 additions & 2 deletions
diff --git a/‎lib/ldp.js‎
Lines changed: 18 additions & 0 deletions b/‎lib/ldp.js‎
Lines changed: 18 additions & 0 deletions
diff --git a/‎package-lock.json‎
Lines changed: 29 additions & 29 deletions b/‎package-lock.json‎
Lines changed: 29 additions & 29 deletions
diff --git a/‎package.json‎
Lines changed: 1 addition & 1 deletion b/‎package.json‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎test/.meta‎
Lines changed: 5 additions & 0 deletions b/‎test/.meta‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎test/integration/acl-oidc-test.js‎
Lines changed: 60 additions & 12 deletions b/‎test/integration/acl-oidc-test.js‎
Lines changed: 60 additions & 12 deletions
@@ -41,14 +41,17 @@ function allow (mode) {
     }
     // Obtain and store the ACL of the requested resource
     const resourceUrl = rootUrl + resourcePath
-    req.acl = ACL.createFromLDPAndRequest(resourceUrl, ldp, req)
-
     // Ensure the user has the required permission
     const userId = req.session.userId
-    const isAllowed = await req.acl.can(userId, mode, req.method, stat)
-    if (isAllowed) {
-      return next()
-    }
+    try {
+      req.acl = ACL.createFromLDPAndRequest(resourceUrl, ldp, req)
+
+      // if (resourceUrl.endsWith('.acl')) mode = 'Control'
+      const isAllowed = await req.acl.can(userId, mode, req.method, stat)
+      if (isAllowed) {
+        return next()
+      }
+    } catch (error) { next(error) }
     if (mode === 'Read' && (resourcePath === '' || resourcePath === '/')) {
       // This is a hack to make NSS check the ACL for representation that is served for root (if any)
       // See https://github.com/solid/node-solid-server/issues/1063 for more info
@@ -68,6 +71,10 @@ function allow (mode) {
         }
       }
     }
+
+    // check user is owner. Find owner from /.meta
+    if (resourceUrl.endsWith('.acl') && userId === await ldp.getOwner(req.hostname)) return next()
+
     const error = req.authError || await req.acl.getError(userId, mode)
     debug(`${mode} access denied to ${userId || '(none)'}: ${error.status} - ${error.message}`)
     next(error)
 
@@ -8,8 +8,7 @@ const debug = require('../debug').handlers
 const error = require('../http-error')
 const $rdf = require('rdflib')
 const crypto = require('crypto')
-const overQuota = require('../utils').overQuota
-const getContentType = require('../utils').getContentType
+const { overQuota, getContentType } = require('../utils')
 const withLock = require('../lock')
 
 // Patch parsers by request body content type
@@ -146,6 +145,10 @@ async function checkPermission (request, patchObject, resourceExists) {
   const allowed = await Promise.all(modes.map(mode => acl.can(userId, mode, request.method, resourceExists)))
   const allAllowed = allowed.reduce((memo, allowed) => memo && allowed, true)
   if (!allAllowed) {
+    // check owner with Control
+    const ldp = request.app.locals.ldp
+    if (request.path.endsWith('.acl') && userId === await ldp.getOwner(request.hostname)) return Promise.resolve(patchObject)
+
     const errors = await Promise.all(modes.map(mode => acl.getError(userId, mode)))
     const error = errors.filter(error => !!error)
       .reduce((prevErr, err) => prevErr.status > err.status ? prevErr : err, { status: 0 })
 
@@ -115,11 +115,13 @@ async function addPermissions (req, res, next) {
   if (!acl) return next()
 
   // Turn permissions for the public and the user into a header
-  const resource = req.app.locals.ldp.resourceMapper.resolveUrl(req.hostname, req.path)
-  const [publicPerms, userPerms] = await Promise.all([
+  const ldp = req.app.locals.ldp
+  const resource = ldp.resourceMapper.resolveUrl(req.hostname, req.path)
+  let [publicPerms, userPerms] = await Promise.all([
     getPermissionsFor(acl, null, req),
     getPermissionsFor(acl, session.userId, req)
   ])
+  if (resource.endsWith('.acl') && userPerms === '' && session.userId === await ldp.getOwner(req.hostname)) userPerms = 'control'
   debug.ACL(`Permissions on ${resource} for ${session.userId || '(none)'}: ${userPerms}`)
   debug.ACL(`Permissions on ${resource} for public: ${publicPerms}`)
   res.set('WAC-Allow', `user="${userPerms}",public="${publicPerms}"`)
 
@@ -433,6 +433,24 @@ class LDP {
     })
   }
 
+  // this is a hack to replace solid:owner, using solid:account in /.meta to avoid NSS migration
+  // this /.meta has no functionality in actual NSS
+  // comment https://github.com/solid/node-solid-server/pull/1604#discussion_r652903546
+  async getOwner (hostname) {
+    // const ldp = req.app.locals.ldp
+    const rootUrl = this.resourceMapper.resolveUrl(hostname)
+    let graph
+    try {
+      // TODO check for permission ?? Owner is a MUST
+      graph = await this.getGraph(rootUrl + '/.meta')
+      const SOLID = $rdf.Namespace('http://www.w3.org/ns/solid/terms#')
+      const owner = await graph.any(null, SOLID('account'), $rdf.sym(rootUrl + '/'))
+      return owner.uri
+    } catch (error) {
+      throw new Error(`Failed to get owner from ${rootUrl}/.meta, got ` + error)
+    }
+  }
+
   async get (options, searchIndex = true) {
     let path, contentType, stats
     try {
 
@@ -85,7 +85,7 @@
     "ip-range-check": "0.2.0",
     "is-ip": "^3.1.0",
     "li": "^1.3.0",
-    "mashlib": "^1.7.1",
+    "mashlib": "^1.7.2",
     "mime-types": "^2.1.31",
     "negotiator": "^0.6.2",
     "node-fetch": "^2.6.1",
 
@@ -0,0 +1,5 @@
+# Root Meta resource for the user account
+# Used to discover the account's WebID URI, given the account URI
+<https://tim.localhost:7777/profile/card#me>
+  <http://www.w3.org/ns/solid/terms#account>
+  </>.
@@ -4,7 +4,7 @@ const request = require('request')
 const path = require('path')
 const { loadProvider, rm, checkDnsSettings, cleanDir } = require('../utils')
 const IDToken = require('@solid/oidc-op/src/IDToken')
-const { clearAclCache } = require('../../lib/acl-checker')
+// const { clearAclCache } = require('../../lib/acl-checker')
 const ldnode = require('../../index')
 
 const port = 7777
@@ -57,7 +57,7 @@ const argv = {
 }
 
 // FIXME #1502
-describe.skip('ACL with WebID+OIDC over HTTP', function () {
+describe('ACL with WebID+OIDC over HTTP', function () {
   let ldp, ldpHttpsServer
 
   before(checkDnsSettings)
@@ -80,9 +80,9 @@ describe.skip('ACL with WebID+OIDC over HTTP', function () {
     }).catch(console.error)
   })
 
-  afterEach(() => {
+  /* afterEach(() => {
     clearAclCache()
-  })
+  }) */
 
   after(() => {
     if (ldpHttpsServer) ldpHttpsServer.close()
@@ -138,17 +138,34 @@ describe.skip('ACL with WebID+OIDC over HTTP', function () {
           done()
         })
       })
-      it('should not let edit the .acl', function (done) {
+      it('user1 as solid:owner should let edit the .acl', function (done) {
+        const options = createOptions('/empty-acl/.acl', 'user1', 'text/turtle')
+        options.body = ''
+        request.put(options, function (error, response, body) {
+          assert.equal(error, null)
+          assert.equal(response.statusCode, 201)
+          done()
+        })
+      })
+      it('user1 as solid:owner should let read the .acl', function (done) {
         const options = createOptions('/empty-acl/.acl', 'user1')
+        request.get(options, function (error, response, body) {
+          assert.equal(error, null)
+          assert.equal(response.statusCode, 200)
+          done()
+        })
+      })
+      it('user2 should not let edit the .acl', function (done) {
+        const options = createOptions('/empty-acl/.acl', 'user2', 'text/turtle')
         options.body = ''
         request.put(options, function (error, response, body) {
           assert.equal(error, null)
           assert.equal(response.statusCode, 403)
           done()
         })
       })
-      it('should not let read the .acl', function (done) {
-        const options = createOptions('/empty-acl/.acl', 'user1')
+      it('user2 should not let read the .acl', function (done) {
+        const options = createOptions('/empty-acl/.acl', 'user2')
         request.get(options, function (error, response, body) {
           assert.equal(error, null)
           assert.equal(response.statusCode, 403)
@@ -193,11 +210,11 @@ describe.skip('ACL with WebID+OIDC over HTTP', function () {
         })
       })
       it('Should not create empty acl file', function (done) {
-        const options = createOptions('/write-acl/empty-acl/another-empty-folder/test-file.acl', 'user1')
+        const options = createOptions('/write-acl/empty-acl/another-empty-folder/.acl', 'user1', 'text/turtle')
         options.body = ''
         request.put(options, function (error, response, body) {
           assert.equal(error, null)
-          assert.equal(response.statusCode, 403)
+          assert.equal(response.statusCode, 201) // 403) is this a must ?
           done()
         })
       })
@@ -210,11 +227,11 @@ describe.skip('ACL with WebID+OIDC over HTTP', function () {
           done()
         })
       })
-      it('should fail as acl:default it used to try to authorize', function (done) {
+      it('should fail as acl:default is used to try to authorize', function (done) {
         const options = createOptions('/write-acl/bad-acl-access/.acl', 'user1')
         request.get(options, function (error, response, body) {
           assert.equal(error, null)
-          assert.equal(response.statusCode, 403)
+          assert.equal(response.statusCode, 200) // 403) is this a must ?
           done()
         })
       })
@@ -240,7 +257,7 @@ describe.skip('ACL with WebID+OIDC over HTTP', function () {
         const options = createOptions('/write-acl/test-file.acl', 'user1')
         request.get(options, function (error, response, body) {
           assert.equal(error, null)
-          assert.equal(response.statusCode, 403)
+          assert.equal(response.statusCode, 200) // 403) is this a must ?
           done()
         })
       })
@@ -255,6 +272,37 @@ describe.skip('ACL with WebID+OIDC over HTTP', function () {
     })
   })
 
+  describe('no-control', function () {
+    it('user1 as owner should edit acl file', function (done) {
+      const options = createOptions('/no-control/.acl', 'user1', 'text/turtle')
+      options.body = '<#0>' +
+      '\n a <http://www.w3.org/ns/auth/acl#Authorization>;' +
+      '\n <http://www.w3.org/ns/auth/acl#default> <https://tim.localhost:7777/no-control/> ;' +
+      '\n <http://www.w3.org/ns/auth/acl#accessTo> <https://tim.localhost:7777/no-control/> ;' +
+      '\n <http://www.w3.org/ns/auth/acl#agent> <https://tim.localhost:7777/profile/card#me> ;' +
+      '\n <http://www.w3.org/ns/auth/acl#mode> <http://www.w3.org/ns/auth/acl#Read>.'
+      request.put(options, function (error, response, body) {
+        assert.equal(error, null)
+        assert.equal(response.statusCode, 201)
+        done()
+      })
+    })
+    it('user2 should not edit acl file', function (done) {
+      const options = createOptions('/no-control/.acl', 'user2', 'text/turtle')
+      options.body = '<#0>' +
+      '\n a <http://www.w3.org/ns/auth/acl#Authorization>;' +
+      '\n <http://www.w3.org/ns/auth/acl#default> <https://tim.localhost:7777/no-control/> ;' +
+      '\n <http://www.w3.org/ns/auth/acl#accessTo> <https://tim.localhost:7777/no-control/> ;' +
+      '\n <http://www.w3.org/ns/auth/acl#agent> <https://tim.localhost:7777/profile/card#me> ;' +
+      '\n <http://www.w3.org/ns/auth/acl#mode> <http://www.w3.org/ns/auth/acl#Read>.'
+      request.put(options, function (error, response, body) {
+        assert.equal(error, null)
+        assert.equal(response.statusCode, 403)
+        done()
+      })
+    })
+  })
+
   describe('Origin', function () {
     before(function () {
       rm('/accounts-acl/tim.localhost/origin/test-folder/.acl')