404 --> 403/401 with DELETE

nodeSolidServer · Jan 15, 2024 · 809e0ac · 809e0ac
1 parent 95dd7c0
commit 809e0ac
Showing 1 changed file with 19 additions and 13 deletions.
diff --git a/lib/acl-checker.js b/lib/acl-checker.js
@@ -128,19 +128,23 @@ class ACLChecker {
 
     // For delete HTTP method
     if ((method === 'DELETE')) {
-      // deleting a Container
-      // without Read, the response code will reveal whether a Container is empty or not
-      if (directory && this.resource.endsWith('/')) resourceAccessDenied([ACL('Read'), ACL('Write')])
-      // if resource and acl have same parent container,
-      // then Read Write from parent is required
-      else if (!directory && aclFile.value.endsWith(`/${this.suffix}`)) await accessdeniedFromParent([ACL('Read'), ACL('Write')]) // directory = rdf.sym(dirname(aclFile.value) + '/')
+      if (resourceExists) {
+        // deleting a Container
+        // without Read, the response code will reveal whether a Container is empty or not
+        if (directory && this.resource.endsWith('/')) resourceAccessDenied([ACL('Read'), ACL('Write')])
+        // if resource and acl have same parent container,
+        // then Read Write from parent is required
+        else if (!directory && aclFile.value.endsWith(`/${this.suffix}`)) await accessdeniedFromParent([ACL('Read'), ACL('Write')])
 
-      // deleting a Document
-      else if ((directory && directory.value === dirname(aclFile.value) + '/')) {
-        accessDeniedForAccessTo([ACL('Write')])
-      } else {
-        await accessdeniedFromParent([ACL('Write')])
-      }
+        // deleting a Document
+        else if (directory && directory.value === dirname(aclFile.value) + '/') {
+          accessDeniedForAccessTo([ACL('Write')])
+        } else {
+          await accessdeniedFromParent([ACL('Write')])
+        }
+
+      // https://github.com/solid/specification/issues/14#issuecomment-1712773516
+      } else { accessDenied = true }
     }
 
     if (accessDenied && user) {
@@ -166,7 +170,9 @@ class ACLChecker {
     return `${parts.join('/')}/`
   }
 
-  // Gets the ACL that applies to the resource
+  // Gets the ACL's that applies to the resource
+  // DELETE uses docAcl when docAcl is parent to the resource
+  // or docAcl and parentAcl when docAcl is the ACL of the Resource
   async getNearestACL (method) {
     const { resource } = this
     let isContainer = false