From 809e0ac7361d642fdeed3731505ba28ad724a5bb Mon Sep 17 00:00:00 2001 From: bourgeoa Date: Mon, 15 Jan 2024 12:00:01 +0100 Subject: [PATCH] 404 --> 403/401 with DELETE --- lib/acl-checker.js | 32 +++++++++++++++++++------------- 1 file changed, 19 insertions(+), 13 deletions(-) diff --git a/lib/acl-checker.js b/lib/acl-checker.js index 7f6c3b61..eeb6a176 100644 --- a/lib/acl-checker.js +++ b/lib/acl-checker.js @@ -128,19 +128,23 @@ class ACLChecker { // For delete HTTP method if ((method === 'DELETE')) { - // deleting a Container - // without Read, the response code will reveal whether a Container is empty or not - if (directory && this.resource.endsWith('/')) resourceAccessDenied([ACL('Read'), ACL('Write')]) - // if resource and acl have same parent container, - // then Read Write from parent is required - else if (!directory && aclFile.value.endsWith(`/${this.suffix}`)) await accessdeniedFromParent([ACL('Read'), ACL('Write')]) // directory = rdf.sym(dirname(aclFile.value) + '/') + if (resourceExists) { + // deleting a Container + // without Read, the response code will reveal whether a Container is empty or not + if (directory && this.resource.endsWith('/')) resourceAccessDenied([ACL('Read'), ACL('Write')]) + // if resource and acl have same parent container, + // then Read Write from parent is required + else if (!directory && aclFile.value.endsWith(`/${this.suffix}`)) await accessdeniedFromParent([ACL('Read'), ACL('Write')]) - // deleting a Document - else if ((directory && directory.value === dirname(aclFile.value) + '/')) { - accessDeniedForAccessTo([ACL('Write')]) - } else { - await accessdeniedFromParent([ACL('Write')]) - } + // deleting a Document + else if (directory && directory.value === dirname(aclFile.value) + '/') { + accessDeniedForAccessTo([ACL('Write')]) + } else { + await accessdeniedFromParent([ACL('Write')]) + } + + // https://github.com/solid/specification/issues/14#issuecomment-1712773516 + } else { accessDenied = true } } if (accessDenied && user) { @@ -166,7 +170,9 @@ class ACLChecker { return `${parts.join('/')}/` } - // Gets the ACL that applies to the resource + // Gets the ACL's that applies to the resource + // DELETE uses docAcl when docAcl is parent to the resource + // or docAcl and parentAcl when docAcl is the ACL of the Resource async getNearestACL (method) { const { resource } = this let isContainer = false