Fix ACL modes (#242)

namedgraph · web-flow · commit 61b2bdb1c2af · 2025-09-10T23:20:09.000+02:00
* Streamlined `AuthorizationFilter`

* Attempt to fix
diff --git a/src/main/java/com/atomgraph/linkeddatahub/server/filter/request/AuthorizationFilter.java b/src/main/java/com/atomgraph/linkeddatahub/server/filter/request/AuthorizationFilter.java
@@ -136,14 +136,14 @@ public void filter(ContainerRequestContext request) throws IOException
         if (request.getSecurityContext().getUserPrincipal() instanceof Agent) agent = ((Agent)(request.getSecurityContext().getUserPrincipal()));
         else agent = null; // public access
 
-        Resource authorization = authorize(request, agent, accessMode);
-        if (authorization == null)
+        Model authorizations = authorize(request, agent, accessMode);
+        if (authorizations == null)
         {
             if (log.isTraceEnabled()) log.trace("Access not authorized for request URI: {} and access mode: {}", request.getUriInfo().getAbsolutePath(), accessMode);
             throw new AuthorizationException("Access not authorized for request URI", request.getUriInfo().getAbsolutePath(), accessMode);
         }
         else // authorization successful
-            request.setProperty(AuthorizationContext.class.getCanonicalName(), new AuthorizationContext(authorization.getModel()));
+            request.setProperty(AuthorizationContext.class.getCanonicalName(), new AuthorizationContext(authorizations));
     }
     
     /**
@@ -152,21 +152,22 @@ public void filter(ContainerRequestContext request) throws IOException
      * @param request current request
      * @param agent agent resource or null
      * @param accessMode ACL access mode
-     * @return authorization resource or null
+     * @return authorizations model or null if access denied
      */
-    public Resource authorize(ContainerRequestContext request, Resource agent, Resource accessMode)
+    public Model authorize(ContainerRequestContext request, Resource agent, Resource accessMode)
     {
         Resource accessTo = ResourceFactory.createResource(request.getUriInfo().getAbsolutePath().toString());
-        
-        // special case where the agent is the owner of the requested document - automatically grant acl:Read/acl:Append/acl:Write access
+        QuerySolutionMap thisQsm = new QuerySolutionMap();
+        thisQsm.add(SPIN.THIS_VAR_NAME, accessTo);
+        Model authorizations = ModelFactory.createDefaultModel();
+
+        // the agent is the owner of the requested document - automatically grant acl:Read/acl:Append/acl:Write access.
+        // Note: the document does not even need to have a type at this point.
         if (agent != null && isOwner(accessTo, agent))
         {
             log.debug("Agent <{}> is the owner of <{}>, granting acl:Read/acl:Append/acl:Write access", agent, accessTo);
-            return createOwnerAuthorization(accessTo, agent);
+            createOwnerAuthorization(authorizations, accessTo, agent);
         }
-        
-        QuerySolutionMap thisQsm = new QuerySolutionMap();
-        thisQsm.add(SPIN.THIS_VAR_NAME, accessTo);
 
         ResultSetRewindable docTypesResult = loadResultSet(getApplication().getService(), getDocumentTypeQuery(), thisQsm);
         try
@@ -192,24 +193,30 @@ public Resource authorize(ContainerRequestContext request, Resource agent, Resou
                     // only root and containers allow child documents. This needs to be checked before checking ownership
                     if (Collections.disjoint(parentTypes, Set.of(Default.Root, DH.Container))) return null;
                     docTypesResult.reset(); // rewind result set to the beginning - it's used again later on
-
-                    // special case where the agent is the owner of the requested document - automatically grant acl:Read/acl:Append/acl:Write access
+                    
+                    // the agent is the owner of the requested document - automatically grant acl:Read/acl:Append/acl:Write access
                     if (agent != null && isOwner(accessTo, agent))
                     {
                         log.debug("Agent <{}> is the owner of <{}>, granting acl:Read/acl:Append/acl:Write access", agent, accessTo);
-                        return createOwnerAuthorization(accessTo, agent);
+                        createOwnerAuthorization(authorizations, accessTo, agent);
                     }
                 }
+                // access to non-existing documents is denied if the request method is not PUT *and* the agent has no Write access
                 else return null;
             }
-
+        
             ParameterizedSparqlString pss = getApplication().canAs(EndUserApplication.class) ? getACLQuery() : getOwnerACLQuery();
             Query query = new SetResultSetValues().apply(pss.asQuery(), docTypesResult);
             pss = new ParameterizedSparqlString(query.toString()); // make sure VALUES are now part of the query string
             assert pss.toString().contains("VALUES");
 
-            Model authModel = loadModel(getAdminService(), pss, new AuthorizationParams(getApplication().getBase(), accessTo, agent).get());
-            return getAuthorizationByMode(authModel, accessMode);
+            // note we're not setting the $mode value on the ACL queries as we want to provide the AuthorizationContext with all of the agent's authorizations
+            authorizations.add(loadModel(getAdminService(), pss, new AuthorizationParams(getApplication().getBase(), accessTo, agent).get()));
+            
+            // access denied if the agent has no authorization to the requested document with the requested ACL mode
+            if (getAuthorizationByMode(authorizations, accessMode) == null) return null;
+                
+            return authorizations;
         }
         finally
         {
@@ -326,17 +333,17 @@ protected ResultSetRewindable loadResultSet(com.atomgraph.linkeddatahub.model.Se
     
     /**
      * Creates a special <code>acl:Authorization</code> resource for an owner.
+     * @param model RDF model
      * @param accessTo requested URI
      * @param agent authenticated agent
      * @return authorization resource
      */
-    public Resource createOwnerAuthorization(Resource accessTo, Resource agent)
+    public Resource createOwnerAuthorization(Model model, Resource accessTo, Resource agent)
     {
         if (accessTo == null) throw new IllegalArgumentException("Document resource cannot be null");
         if (agent == null) throw new IllegalArgumentException("Agent resource cannot be null");
 
-        return ModelFactory.createDefaultModel().
-                createResource().
+        return model.createResource().
                 addProperty(RDF.type, ACL.Authorization).
                 addProperty(RDF.type, LACL.OwnerAuthorization).
                 addProperty(ACL.accessTo, accessTo).
diff --git a/src/main/java/com/atomgraph/linkeddatahub/server/util/AuthorizationParams.java b/src/main/java/com/atomgraph/linkeddatahub/server/util/AuthorizationParams.java
@@ -36,6 +36,7 @@ public class AuthorizationParams implements Supplier<QuerySolutionMap>
     
     /**
      * Constructs authorization query solution supplier.
+     * <em>Does not set <samp>$mode</samp> value intentionally as we want to provide the {@link com.atomgraph.linkeddatahub.server.security.AuthorizationContext} with all of the agent's authorizations.</em>
      * 
      * @param base application's base URI
      * @param absolutePath request URL without query string

Original file line number	Diff line number	Diff line change
`@@ -36,6 +36,7 @@ public class AuthorizationParams implements Supplier<QuerySolutionMap>`
`36`	`36`
`37`	`37`	`/**`
`38`	`38`	`* Constructs authorization query solution supplier.`
	`39`	`+ * <em>Does not set <samp>$mode</samp> value intentionally as we want to provide the {@link com.atomgraph.linkeddatahub.server.security.AuthorizationContext} with all of the agent's authorizations.</em>`
`39`	`40`	`*`
`40`	`41`	`* @param base application's base URI`
`41`	`42`	`* @param absolutePath request URL without query string`