update DELETE

Author: bourgeoa

lib/acl-checker.js

@@ -1,7 +1,7 @@
 'use strict'
 /* eslint-disable node/no-deprecated-api */
 
-// const { dirname } = require('path')
+const { dirname } = require('path')
 const rdf = require('rdflib')
 const debug = require('./debug').ACL
 // const debugCache = require('./debug').cache
@@ -77,12 +77,21 @@ class ACLChecker {
       parentResource = resource
       if (!thisResource.endsWith('/')) parentResource = rdf.sym(ACLChecker.getDirectory(thisResource))
     }
+    /* let resource = rdf.sym(this.resource)
+    if (this.resource.endsWith('/' + this.suffix)) {
+      resource = rdf.sym(ACLChecker.getDirectory(this.resource))
+    }
+    // If this is an ACL, Control mode must be present for any operations
+    if (this.isAcl(this.resource)) {
+      mode = 'Control'
+      resource = rdf.sym(this.resource.substring(0, this.resource.length - this.suffix.length))
+    } */
     // If the slug is an acl, reject
     /* if (this.isAcl(this.slug)) {
       this.aclCached[cacheKey] = Promise.resolve(false)
       return this.aclCached[cacheKey]
     } */
-    const directory = acl.isContainer ? rdf.sym(ACLChecker.getDirectory(acl.docAcl)) : null
+    let directory = acl.isContainer ? rdf.sym(ACLChecker.getDirectory(acl.docAcl)) : null
     const aclFile = rdf.sym(acl.docAcl)
     const aclGraph = acl.docGraph
     const agent = user ? rdf.sym(user) : null
@@ -102,6 +111,12 @@ class ACLChecker {
     let accessDenied = aclCheck.accessDenied(aclGraph, resource, directory, aclFile, agent, modes, agentOrigin, trustedOrigins, originTrustedModes)
 
     function accessDeniedForAccessTo (mode) {
+      const accessDeniedAccessTo = aclCheck.accessDenied(aclGraph, directory, null, aclFile, agent, [ACL(mode)], agentOrigin, trustedOrigins, originTrustedModes)
+      const accessResult = !accessDenied && !accessDeniedAccessTo
+      accessDenied = accessResult ? false : accessDenied || accessDeniedAccessTo
+      // debugCache('accessDenied result ' + accessDenied)
+    }
+    function accessDeniedForAccessToParent (mode) {
       const parentAclDirectory = ACLChecker.getDirectory(acl.parentAcl)
       const parentDirectory = parentResource === parentAclDirectory ? null : rdf.sym(parentAclDirectory)
       const accessDeniedAccessTo = aclCheck.accessDenied(acl.parentGraph, parentResource, parentDirectory, rdf.sym(acl.parentAcl), agent, [ACL(mode)], agentOrigin, trustedOrigins, originTrustedModes)
@@ -110,16 +125,26 @@ class ACLChecker {
       // debugCache('accessDenied result ' + accessDenied)
     }
     // For create and update HTTP methods
-    if ((method === 'PUT' || method === 'PATCH' || method === 'COPY')) { // && !aclFile.value.endsWith('/.acl')) {
-      // accessTo Append from parent is required
-      accessDeniedForAccessTo('Append')
+    if ((method === 'PUT' || method === 'PATCH' || method === 'COPY')) {
+      // if resource and acl have same parent container,
+      // and resource does not exist, then accessTo Append from parent is required
+      if (directory && directory.value === dirname(aclFile.value) + '/' && !resourceExists) {
+        accessDeniedForAccessTo('Append')
+      }
     }
 
     // For delete HTTP method
-    if ((method === 'DELETE')) { // } && !aclFile.value.endsWith('/.acl')) {
-      // accessTo Write from parent is required
-      accessDeniedForAccessTo('Write')
+    if ((method === 'DELETE')) {
+      // if resource and acl have same parent container,
+      // then accessTo Write from parent is required
+      if (!directory && aclFile.value.endsWith('/.acl')) directory = rdf.sym(dirname(aclFile.value) + '/')
+      if ((directory && directory.value === dirname(aclFile.value) + '/')) {
+        accessDeniedForAccessTo('Write')
+      } else {
+        accessDeniedForAccessToParent('Write')
+      }
     }
+
     if (accessDenied && user) {
       this.messagesCached[cacheKey].push(HTTPError(403, accessDenied))
     } else if (accessDenied) {
@@ -150,12 +175,13 @@ class ACLChecker {
     const possibleACLs = this.getPossibleACLs()
     const acls = [...possibleACLs]
     let returnAcl = null
-    let returnParentAcl = null
+    // let returnParentAcl = null
     let parentAcl = null
     let parentGraph = null
     let docAcl = null
     let docGraph = null
-    while (possibleACLs.length > 0 && !returnParentAcl) {
+    // while (possibleACLs.length > 0 && !returnParentAcl) {
+    while (possibleACLs.length > 0 && !returnAcl) {
       const acl = possibleACLs.shift()
       let graph
       try {
@@ -174,19 +200,21 @@ class ACLChecker {
       if (!docAcl) {
         docAcl = acl
         docGraph = graph
-        if ((possibleACLs.length === 0) || docAcl.endsWith('/.acl')) {
+        /* if ((possibleACLs.length === 0)) { // || docAcl.endsWith('/.acl')) {
           parentAcl = acl // alain
           parentGraph = graph // alain
           returnParentAcl = true
-        }
+        } */
       } else {
         parentAcl = acl
         parentGraph = graph
-        returnParentAcl = true
+        returnAcl = true
       }
+      // returnParentAcl = true
+
       returnAcl = { docAcl, docGraph, isContainer, parentAcl, parentGraph }
     }
-    if (!returnParentAcl) {
+    if (!returnAcl) {
       throw new HTTPError(500, `No ACL found for ${resource}, searched in \n- ${acls.join('\n- ')}`)
     }
     const groupNodes = returnAcl.docGraph.statementsMatching(null, ACL('agentGroup'), null)
@@ -197,7 +225,10 @@ class ACLChecker {
         this.requests[groupUrl] = this.requests[groupUrl] || docGraph
       } catch (e) {} // failed to fetch groupUrl
     }))
-
+    if (!parentAcl) { // alain is it needed
+      parentAcl = docAcl
+      parentGraph = docGraph
+    }
     return returnAcl
   }