Release version 5.0.23

Author: namedgraph

CHANGELOG.md

@@ -1,3 +1,46 @@
+## [5.0.23] - 2025-09-11
+### Added
+- Drag handles for content blocks - blocks can now only be dragged by their dedicated drag handles
+- Client-side XPath `ac:mode` function for layout mode detection
+- New `ldh:request-uri` XPath function for URI handling
+- New `acl:mode` XPath function for client-side ACL mode detection   
+- New HTTP tests for ACL `Link` headers to verify authorization modes in response
+
+### Changed
+- Service input on the container generation form is now optional
+- IXSL promise cleanup and refactoring for better client-side performance
+- Document context handling improvements
+
+### Fixed
+- `AuthorizationFilter` to always load authorizations from the admin dataset
+- Modal form validation
+- Layout mode is now retained after RDF file upload
+
+## [5.0.22] - 2025-08-29
+### Added
+- SPARQL query support for `ProxyResourceBase` via `POST` requests
+- YouTube object block support with GRDDL transformation
+- New HTTP tests for proxy SPARQL query functionality
+- `JSONGRDDLFilter` feature for processing JSON-LD from HTML script elements
+- New CLI command for `PATCH` requests
+- Self-referencing object detection to prevent infinite loops
+
+### Changed
+- Web-Client dependency version bump
+- Increased nginx rate limits for better performance
+- Uniform `ldh:href` function calls across codebase
+- Improved `Link` header parsing and usage fixes
+- Adjusted document controls size for better UI
+- Enhanced view titles for better user experience
+- Improved tests for document property cardinalities
+- Removed DBPedia's prefix mapping
+
+### Fixed
+- Fixed template match issues
+- Improved `dct:modified` handling in Graph `POST` operations
+- Fixed error handling for "Document loaded successfully but resource was not found" cases
+- HTTP test fixes for better reliability
+
 ## [5.0.19] - 2025-07-01
 ### Fixed
 - Form callback invocation

README.md

@@ -218,6 +218,36 @@ The environment variable `JENA_HOME` is used by all the command line tools to co
 
 These demo applications can be installed into a LinkedDataHub instance using `make install`. You will need to provide the path to your WebID certificate as well as its password.
 
+## AI-Powered Automation
+
+### [Web-Algebra](https://github.com/AtomGraph/Web-Algebra)
+
+Web-Algebra enables AI agents to consume Linked Data and SPARQL as well as control and automate LinkedDataHub operations through natural language instructions.
+This innovative system translates human language into JSON-formatted RDF operations that can be executed against your LinkedDataHub instance.
+
+**Key capabilities:**
+* **Natural Language to RDF Operations**: Translate complex instructions into executable semantic workflows
+* **LLM Agent Integration**: AI agents can compose and execute complex multi-step operations automatically
+* **Atomic Execution**: Complex workflows are compiled into optimized JSON "bytecode" that executes as a single unit
+* **Model Context Protocol (MCP)**: Interactive tools for AI assistants to manage LinkedDataHub content
+
+**Example use cases:**
+
+*Business Analytics:*
+> Analyze quarterly sales performance from our Northwind dataset, identify the top 5 customers by revenue, and create an interactive dashboard showing regional sales trends with automated alerts for territories underperforming by more than 15%
+
+*FAIR Life Sciences Integration:*
+> Query federated endpoints for protein interaction data from UniProt, gene expression profiles from EBI, and clinical trial outcomes from ClinicalTrials.gov, then integrate these datasets through SPARQL CONSTRUCT queries, create cross-references using shared identifiers, and embed the unified knowledge graph into an interactive research article with live data visualizations
+
+**Perfect for:**
+* Business intelligence automation and reporting
+* Federated biomedical data integration and analysis
+* AI-assisted research data discovery and linking
+* Natural language interfaces to knowledge graphs
+* Intelligent data processing and monitoring pipelines
+
+See the [Web-Algebra repository](https://github.com/AtomGraph/Web-Algebra) for setup instructions and examples of AI agents managing LinkedDataHub instances.
+
 ## How to get involved
 
 * contribute a new LDH application or modify [one of ours](https://github.com/AtomGraph/LinkedDataHub-Apps)

http-tests/admin/acl/agent-acl-modes.sh

@@ -0,0 +1,51 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+initialize_dataset "$END_USER_BASE_URL" "$TMP_END_USER_DATASET" "$END_USER_ENDPOINT_URL"
+initialize_dataset "$ADMIN_BASE_URL" "$TMP_ADMIN_DATASET" "$ADMIN_ENDPOINT_URL"
+purge_cache "$END_USER_VARNISH_SERVICE"
+purge_cache "$ADMIN_VARNISH_SERVICE"
+purge_cache "$FRONTEND_VARNISH_SERVICE"
+
+# add agent to the writers group
+
+add-agent-to-group.sh \
+  -f "$OWNER_CERT_FILE" \
+  -p "$OWNER_CERT_PWD" \
+  --agent "$AGENT_URI" \
+  "${ADMIN_BASE_URL}acl/groups/writers/"
+
+# create a new document to test ACL modes against
+
+doc_url=$(create-item.sh \
+  -b "$END_USER_BASE_URL" \
+  -f "$AGENT_CERT_FILE" \
+  -p "$AGENT_CERT_PWD" \
+  --container "$END_USER_BASE_URL" \
+  --title "ACL Test Document Agent" \
+  --slug "acl-test-document-agent"
+)
+
+# test that the signed up agent accessing the document returns correct Link header with ACL modes (no Control)
+
+response_headers=$(mktemp)
+
+curl -k -f -v \
+  -E "$AGENT_CERT_FILE":"$AGENT_CERT_PWD" \
+  -H "Accept: application/n-triples" \
+  -D "$response_headers" \
+  -o /dev/null \
+  "$doc_url"
+
+cat "$response_headers"
+
+# check that each expected ACL mode is present in Link header (order independent)
+# signed up agents should have Read, Write, Append but NOT Control
+grep -q "Link:.*<http://www.w3.org/ns/auth/acl#Read>; rel=http://www.w3.org/ns/auth/acl#mode" "$response_headers"
+grep -q "Link:.*<http://www.w3.org/ns/auth/acl#Write>; rel=http://www.w3.org/ns/auth/acl#mode" "$response_headers"
+grep -q "Link:.*<http://www.w3.org/ns/auth/acl#Append>; rel=http://www.w3.org/ns/auth/acl#mode" "$response_headers"
+
+# verify Control mode is NOT present for signed up agent
+! grep -q "Link:.*<http://www.w3.org/ns/auth/acl#Control>; rel=http://www.w3.org/ns/auth/acl#mode" "$response_headers"
+
+rm "$response_headers"

http-tests/admin/acl/owner-acl-modes.sh

@@ -0,0 +1,40 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+initialize_dataset "$END_USER_BASE_URL" "$TMP_END_USER_DATASET" "$END_USER_ENDPOINT_URL"
+initialize_dataset "$ADMIN_BASE_URL" "$TMP_ADMIN_DATASET" "$ADMIN_ENDPOINT_URL"
+purge_cache "$END_USER_VARNISH_SERVICE"
+purge_cache "$ADMIN_VARNISH_SERVICE"
+purge_cache "$FRONTEND_VARNISH_SERVICE"
+
+# create a new document to test ACL modes against
+
+doc_url=$(create-item.sh \
+  -b "$END_USER_BASE_URL" \
+  -f "$OWNER_CERT_FILE" \
+  -p "$OWNER_CERT_PWD" \
+  --container "$END_USER_BASE_URL" \
+  --title "ACL Test Document" \
+  --slug "acl-test-document"
+)
+
+# test that the owner agent accessing the document returns correct Link header with all ACL modes
+
+response_headers=$(mktemp)
+
+curl -k -f -v \
+  -E "$OWNER_CERT_FILE":"$OWNER_CERT_PWD" \
+  -H "Accept: application/n-triples" \
+  -D "$response_headers" \
+  -o /dev/null \
+  "$doc_url"
+
+cat "$response_headers"
+
+# check that each ACL mode is present in Link header (order independent)
+grep -q "Link:.*<http://www.w3.org/ns/auth/acl#Read>; rel=http://www.w3.org/ns/auth/acl#mode" "$response_headers"
+grep -q "Link:.*<http://www.w3.org/ns/auth/acl#Write>; rel=http://www.w3.org/ns/auth/acl#mode" "$response_headers"
+grep -q "Link:.*<http://www.w3.org/ns/auth/acl#Append>; rel=http://www.w3.org/ns/auth/acl#mode" "$response_headers"
+grep -q "Link:.*<http://www.w3.org/ns/auth/acl#Control>; rel=http://www.w3.org/ns/auth/acl#mode" "$response_headers"
+
+rm "$response_headers"

pom.xml

@@ -3,7 +3,7 @@
 
     <groupId>com.atomgraph</groupId>
     <artifactId>linkeddatahub</artifactId>
-    <version>5.0.22</version>
+    <version>5.0.23</version>
     <packaging>${packaging.type}</packaging>
 
     <name>AtomGraph LinkedDataHub</name>
@@ -46,7 +46,7 @@
         <url>https://github.com/AtomGraph/LinkedDataHub</url>
         <connection>scm:git:git://github.com/AtomGraph/LinkedDataHub.git</connection>
         <developerConnection>scm:git:git@github.com:AtomGraph/LinkedDataHub.git</developerConnection>
-        <tag>linkeddatahub-5.0.22</tag>
+        <tag>linkeddatahub-5.0.23</tag>
     </scm>
 
     <repositories>

src/main/java/com/atomgraph/linkeddatahub/resource/Generate.java

@@ -102,15 +102,13 @@ public Generate(@Context Request request, @Context UriInfo uriInfo, MediaTypes m
     @Override
     public Response post(Model model, @QueryParam("default") @DefaultValue("false") Boolean defaultGraph, @QueryParam("graph") URI graphUri)
     {
-        ResIterator it = model.listSubjectsWithProperty(LDH.service);
+        ResIterator it = model.listSubjectsWithProperty(SIOC.HAS_PARENT);
         try
         {
             if (!it.hasNext()) throw new BadRequestException("Argument resource not provided");
 
             Resource arg = it.next();
             Resource service = arg.getPropertyResourceValue(LDH.service);
-            if (service == null) throw new BadRequestException("Service URI (ldh:service) not provided");
-
             Resource parent = arg.getPropertyResourceValue(SIOC.HAS_PARENT);
             if (parent == null) throw new BadRequestException("Parent container (sioc:has_parent) not provided");
 
@@ -177,16 +175,19 @@ public Response post(Model model, @QueryParam("default") @DefaultValue("false")
      * @param model RDF model
      * @param title query title
      * @param query query object
-     * @param service SPARQL service resource
+     * @param service optional SPARQL service resource
      * @return query resource
      */
     public Resource createContainerSelect(Model model, String title, Query query, Resource service)
     {
-        return model.createResource().
+        Resource resource = model.createResource().
             addProperty(RDF.type, SP.Select).
             addLiteral(DCTerms.title, title).
-            addProperty(SP.text, query.toString()).
-            addProperty(LDH.service, service);
+            addProperty(SP.text, query.toString());
+        
+        if (service != null) resource.addProperty(LDH.service, service);
+        
+        return resource;
     }
 
     /**

src/main/java/com/atomgraph/linkeddatahub/server/filter/request/AuthorizationFilter.java

@@ -136,14 +136,14 @@ public void filter(ContainerRequestContext request) throws IOException
         if (request.getSecurityContext().getUserPrincipal() instanceof Agent) agent = ((Agent)(request.getSecurityContext().getUserPrincipal()));
         else agent = null; // public access
 
-        Resource authorization = authorize(request, agent, accessMode);
-        if (authorization == null)
+        Model authorizations = authorize(request, agent, accessMode);
+        if (authorizations == null)
         {
             if (log.isTraceEnabled()) log.trace("Access not authorized for request URI: {} and access mode: {}", request.getUriInfo().getAbsolutePath(), accessMode);
             throw new AuthorizationException("Access not authorized for request URI", request.getUriInfo().getAbsolutePath(), accessMode);
         }
         else // authorization successful
-            request.setProperty(AuthorizationContext.class.getCanonicalName(), new AuthorizationContext(authorization.getModel()));
+            request.setProperty(AuthorizationContext.class.getCanonicalName(), new AuthorizationContext(authorizations));
     }
 
     /**
@@ -152,21 +152,22 @@ public void filter(ContainerRequestContext request) throws IOException
      * @param request current request
      * @param agent agent resource or null
      * @param accessMode ACL access mode
-     * @return authorization resource or null
+     * @return authorizations model or null if access denied
      */
-    public Resource authorize(ContainerRequestContext request, Resource agent, Resource accessMode)
+    public Model authorize(ContainerRequestContext request, Resource agent, Resource accessMode)
     {
         Resource accessTo = ResourceFactory.createResource(request.getUriInfo().getAbsolutePath().toString());
-        
-        // special case where the agent is the owner of the requested document - automatically grant acl:Read/acl:Append/acl:Write access
+        QuerySolutionMap thisQsm = new QuerySolutionMap();
+        thisQsm.add(SPIN.THIS_VAR_NAME, accessTo);
+        Model authorizations = ModelFactory.createDefaultModel();
+
+        // the agent is the owner of the requested document - automatically grant acl:Read/acl:Append/acl:Write access.
+        // Note: the document does not even need to have a type at this point.
         if (agent != null && isOwner(accessTo, agent))
         {
             log.debug("Agent <{}> is the owner of <{}>, granting acl:Read/acl:Append/acl:Write access", agent, accessTo);
-            return createOwnerAuthorization(accessTo, agent);
+            createOwnerAuthorization(authorizations, accessTo, agent);
         }
-        
-        QuerySolutionMap thisQsm = new QuerySolutionMap();
-        thisQsm.add(SPIN.THIS_VAR_NAME, accessTo);
 
         ResultSetRewindable docTypesResult = loadResultSet(getApplication().getService(), getDocumentTypeQuery(), thisQsm);
         try
@@ -192,24 +193,30 @@ public Resource authorize(ContainerRequestContext request, Resource agent, Resou
                     // only root and containers allow child documents. This needs to be checked before checking ownership
                     if (Collections.disjoint(parentTypes, Set.of(Default.Root, DH.Container))) return null;
                     docTypesResult.reset(); // rewind result set to the beginning - it's used again later on
-
-                    // special case where the agent is the owner of the requested document - automatically grant acl:Read/acl:Append/acl:Write access
+                    
+                    // the agent is the owner of the requested document - automatically grant acl:Read/acl:Append/acl:Write access
                     if (agent != null && isOwner(accessTo, agent))
                     {
                         log.debug("Agent <{}> is the owner of <{}>, granting acl:Read/acl:Append/acl:Write access", agent, accessTo);
-                        return createOwnerAuthorization(accessTo, agent);
+                        createOwnerAuthorization(authorizations, accessTo, agent);
                     }
                 }
+                // access to non-existing documents is denied if the request method is not PUT *and* the agent has no Write access
                 else return null;
             }
-
+        
             ParameterizedSparqlString pss = getApplication().canAs(EndUserApplication.class) ? getACLQuery() : getOwnerACLQuery();
             Query query = new SetResultSetValues().apply(pss.asQuery(), docTypesResult);
             pss = new ParameterizedSparqlString(query.toString()); // make sure VALUES are now part of the query string
             assert pss.toString().contains("VALUES");
 
-            Model authModel = loadModel(getAdminService(), pss, new AuthorizationParams(getApplication().getBase(), accessTo, agent).get());
-            return getAuthorizationByMode(authModel, accessMode);
+            // note we're not setting the $mode value on the ACL queries as we want to provide the AuthorizationContext with all of the agent's authorizations
+            authorizations.add(loadModel(getAdminService(), pss, new AuthorizationParams(getApplication().getBase(), accessTo, agent).get()));
+            
+            // access denied if the agent has no authorization to the requested document with the requested ACL mode
+            if (getAuthorizationByMode(authorizations, accessMode) == null) return null;
+                
+            return authorizations;
         }
         finally
         {
@@ -326,17 +333,18 @@ protected ResultSetRewindable loadResultSet(com.atomgraph.linkeddatahub.model.Se
 
     /**
      * Creates a special <code>acl:Authorization</code> resource for an owner.
+     * @param model RDF model
      * @param accessTo requested URI
      * @param agent authenticated agent
      * @return authorization resource
      */
-    public Resource createOwnerAuthorization(Resource accessTo, Resource agent)
+    public Resource createOwnerAuthorization(Model model, Resource accessTo, Resource agent)
     {
+        if (model == null) throw new IllegalArgumentException("Model cannot be null");
         if (accessTo == null) throw new IllegalArgumentException("Document resource cannot be null");
         if (agent == null) throw new IllegalArgumentException("Agent resource cannot be null");
 
-        return ModelFactory.createDefaultModel().
-                createResource().
+        return model.createResource().
                 addProperty(RDF.type, ACL.Authorization).
                 addProperty(RDF.type, LACL.OwnerAuthorization).
                 addProperty(ACL.accessTo, accessTo).

src/main/java/com/atomgraph/linkeddatahub/server/filter/response/ResponseHeadersFilter.java

@@ -23,6 +23,7 @@
 import com.atomgraph.linkeddatahub.apps.model.Application;
 import com.atomgraph.linkeddatahub.apps.model.Dataset;
 import com.atomgraph.linkeddatahub.model.auth.Agent;
+import com.atomgraph.linkeddatahub.server.model.impl.Dispatcher;
 import com.atomgraph.linkeddatahub.server.security.AuthorizationContext;
 import com.atomgraph.linkeddatahub.vocabulary.ACL;
 import java.io.IOException;
@@ -77,27 +78,17 @@ public void filter(ContainerRequestContext request, ContainerResponseContext res
         List<Object> linkValues = response.getHeaders().get(HttpHeaders.LINK);
         List<Link> links = parseLinkHeaderValues(linkValues);
 
-        // check whether Link rel=ldt:base is not already set. Link headers might be forwarded by ProxyResourceBase
-        if (getLinksByRel(links, LDT.base.getURI()).isEmpty())
-        {
-            // add Link rel=ldt:base
-            response.getHeaders().add(HttpHeaders.LINK, new Link(getApplication().getBaseURI(), LDT.base.getURI(), null));
+        if (getLinksByRel(links, SD.endpoint.getURI()).isEmpty())
             // add Link rel=sd:endpoint.
             // TO-DO: The external SPARQL endpoint URL is different from the internal one currently specified as sd:endpoint in the context dataset
-            response.getHeaders().add(HttpHeaders.LINK, new Link(request.getUriInfo().getBaseUriBuilder().path("sparql").build(), SD.endpoint.getURI(), null));
-            // add Link rel=ldt:ontology, if the ontology URI is specified
-            if (getApplication().getOntology() != null)
-                response.getHeaders().add(HttpHeaders.LINK, new Link(URI.create(getApplication().getOntology().getURI()), LDT.ontology.getURI(), null));
-            // add Link rel=ac:stylesheet, if the stylesheet URI is specified
-            if (getApplication().getStylesheet() != null)
-                response.getHeaders().add(HttpHeaders.LINK, new Link(URI.create(getApplication().getStylesheet().getURI()), AC.stylesheet.getURI(), null));
-        }
-        else
-        {
-            // add Link rel=sd:endpoint.
-            if (getLinksByRel(links, SD.endpoint.getURI()).isEmpty() && getDataset().isPresent() && getDataset().get().getService() != null)
-                response.getHeaders().add(HttpHeaders.LINK, new Link(URI.create(getDataset().get().getService().getSPARQLEndpoint().getURI()), SD.endpoint.getURI(), null));
-        }
+            response.getHeaders().add(HttpHeaders.LINK, new Link(request.getUriInfo().getBaseUriBuilder().path(Dispatcher.class, "getSPARQLEndpoint").build(), SD.endpoint.getURI(), null));
+
+        // add Link rel=ldt:ontology, if the ontology URI is specified
+        if (getApplication().getOntology() != null)
+            response.getHeaders().add(HttpHeaders.LINK, new Link(URI.create(getApplication().getOntology().getURI()), LDT.ontology.getURI(), null));
+        // add Link rel=ac:stylesheet, if the stylesheet URI is specified
+        if (getApplication().getStylesheet() != null)
+            response.getHeaders().add(HttpHeaders.LINK, new Link(URI.create(getApplication().getStylesheet().getURI()), AC.stylesheet.getURI(), null));
 
         if (response.getHeaders().get(HttpHeaders.LINK) != null)
         {