You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+17-17Lines changed: 17 additions & 17 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -119,7 +119,7 @@ the ACL resource in the above example would be `/docs/.acl`).
119
119
Clients MUST NOT assume that the location of an ACL resource can be
120
120
deterministically derived from a document's URL. For example, given a document
121
121
with a URL of `/docs/file1`, clients cannot rely on the assumption that an ACL
122
-
resource exists at `/docs/file1.acl`, simply using `.acl` as a prefix. The
122
+
resource exists at `/docs/file1.acl`, simply using `.acl` as a suffix. The
123
123
actual naming convention for ACL resources can differ for each individual
124
124
implementation (or even for each individual server). If one server locates the
125
125
ACL resource by appending the suffix `.acl`, another server could place the ACL
@@ -301,7 +301,7 @@ the following issues:
301
301
for group ACLs are public.
302
302
303
303
Possible future methods for a server to find out whether a given agent is a
304
-
member of s group are a matter for future research and possible addition here.
304
+
member of a group are a matter for future research and possible addition here.
305
305
306
306
### Public Access (All Agents)
307
307
@@ -368,24 +368,24 @@ All scripts running on the same origin are assumed to be run by the same
368
368
social entity, and so trusted to the same extent.
369
369
370
370
*When an Origin header is present then BOTH the authenticated agent AND
371
-
the origin MUST be allowed access*
371
+
the origin MUST be allowed access.*
372
372
373
-
As both the user and the web app get to read or write (etc) the data, then they most BOTH
374
-
be trusted. This is the algorithm the server must go through.
373
+
As both the user and the web app get to read or write (etc) the data, then they must BOTH
374
+
be trusted. This is the algorithm the server must go through.
375
375
376
-
- If the requested mode is available to the public, then succeed `200 OK` with added CORS headers ACAO and ACAH **
377
-
- If the user is *not* logged on, then fail `401 Unauthenticated`
378
-
-Is the User authenticated is *not* allowed access required, AND the class AuthenticatedAgent is not allowed access, then fail `403 User Unauthorized`
379
-
- If the Origin header is not present, the succeed `200 OK`
380
-
- If the Origin is allowed by the ACL, then succeed `200 OK` with added CORS headers ACAO and ACAH
381
-
- (In future proposed) Look up the owner's webid(s) to check for trusted apps declared there, and if match, succeed `200 OK` with added CORS headers ACAO and ACAH
382
-
- Fail `403 Origin Unauthorized`
376
+
- If the requested mode is available to the public, then succeed `200 OK` with added CORS headers ACAO and ACAH.**
377
+
- If the user is *not* logged on, then fail `401 Unauthenticated`.
378
+
-If the authenticated user is *not* allowed access, AND the class AuthenticatedAgent is not allowed access, then fail `403 User Unauthorized`.
379
+
- If the Origin header is not present, then succeed `200 OK`.
380
+
- If the Origin is allowed by the ACL, then succeed `200 OK` with added CORS headers ACAO and ACAH.
381
+
- (In future proposed) Look up the owner's webid(s) to check for trusted apps declared there, and if match, succeed `200 OK` with added CORS headers ACAO and ACAH.
382
+
- Fail `403 Origin Unauthorized`.
383
383
384
-
Note it is a really good idea to make it clear both in the text of the status message and in the body of
385
-
the message the difference between the user not being allowed and the web app they are using
386
-
not being trusted.
384
+
Note it is a really good idea to make it clear both in the text of the status message and in the body of
385
+
the message the difference between the user not being allowed and the web app they are using
386
+
not being trusted.
387
387
388
-
** Possible future alternative: Set ACAO header to `"*"` indicating that the document is public. This will though block in the browser any access made using credentials.
388
+
** Possible future alternative: Set ACAO header to `"*"` indicating that the document is public. This will though block in the browser any access made using credentials.
389
389
390
390
#### Adding trusted web apps.
391
391
@@ -439,7 +439,7 @@ Since an ACL resource is a plain Web document in itself, what controls who
439
439
has access to *it*? While an ACL resource *could* in theory have its own
440
440
corresponding ACL document (for example, `file1.acl` controls access to `file1`,
441
441
and `file1.acl.acl` could potentially control access to `file1.acl`), one
442
-
quickly realizes thats this recursion has to end somewhere.
442
+
quickly realizes that this recursion has to end somewhere.
443
443
444
444
Instead, the [`acl:Control` access mode](#aclcontrol) is used (see below), to
445
445
specify who has access to alter (or even view) the ACL resource.
0 commit comments