Originally put forward by Ben Roberts (permalink):
- Ian wants to share a file with Jane
- Ian posts the file file to his site with it set to only show to Jane.
- Jane receives a notice that Ian has shared a file with her.
- Jane views the file and decides to leave a thank you comment on the file for Ian
Point 1 is just a desire. We cut point 2. into two parts: the first is uploading a file, and the second is limiting access.
This story has a privacy aspect so we will use WebID-OIDC authentication to illustrate it. Other authentication methods should also work with Web Access Control, such as WebID which is easy, and others that need to be looked at.
Ian has WebID <https://ian.name/card#me>.
GET /card HTTP/1.1
Host: ian.name:443
Accept: text/turtle, application/ld+jsonHTTP/1.1 200 Ok
Accept-Patch: application/sparql-update
Access-Control-Allow-Origin: *
Allow: OPTIONS, GET, HEAD, SEARCH, PATCH
Content-Type: text/turtle
ETag: "1417390950000|Success(922)"
Last-Modified: Sun, 1 April 2015 23:42:30 GMT
Content-Type: text/turtle
Content-Length: 545
Link: <card.acl>; rel=acl
Link: <http://www.w3.org/ns/ldp#Resource>; rel="type"@prefix foaf: <http://xmlns.com/foaf/0.1/> .
@prefix cert: <http://www.w3.org/ns/auth/cert#> .
@prefix xsd: <http://www.w3.org/2001/XMLSchema#> .
<card> a foaf:PersonalProfileDocument;
foaf:primaryTopic <card#me> .
<card#me> a foaf:Person ;
foaf:name "Ian;
foaf:knows <https://jane.org/profile#me> ;In order to be able to do command line curl demos, we will assume that Ian has already obtained a Bearer token via the WebId-OIDC process.
Here curl makes the connection, and authenticates Ian with his Certificate. As a result the content is created.
$ curl -X POST -k -i -H "Content-Type: text/turtle" \
-H "Slug: financials" \
-H 'authorization: Bearer ey...'
--data-binary @financials.ttl https://ian.name/2014/ HTTP/1.1 201 Created
Accept-Patch: application/sparql-update
Access-Control-Allow-Origin: *
Allow: OPTIONS, GET, HEAD, SEARCH, PATCH
Content-Type: text/turtle
ETag: "v0"
Last-Modified: Sun, 1 April 2015 23:42:30 GMT
Link: <http://www.w3.org/ns/ldp#Resource>; rel="type"
Location: /2014/financials
Link: <financials.acl>; rel=aclSo the <financials> resource is created in the LDP container </2014/> . Let us imagine that the <financials.acl> resource indeed limits it currently to only be viewed by the owner Ian.
$ curl -X GET -k -H "Content-Type: text/turtle" \
-H 'authorization: Bearer ey...'
https://ian.name/2014/financials.acl@prefix acl: <http://www.w3.org/ns/auth/acl#> .
@prefix foaf: <http://xmlns.com/foaf/0.1/> .
[] acl:accessTo </2014/financials>, <>;
acl:mode acl:Read, acl:Write;
acl:agent </card#me> .To allow access to the resource to Jan, Ian must send the following PATCH, using his certificate as he is the only one authorised to patch the resource.
PATCH /2014/financials.acl HTTP/1.1
Host: ian.name:443
Content-Type: application/sparql-update; utf-8
Content-Length: 120
Authorization: Bearer ey...Prefix acl: <http://www.w3.org/ns/auth/acl#> .
INSERT DATA {
[] acl:accessTo </2014/financials>;
acl:mode acl:Read;
acl:agent <https://jane.org/profile#me> .
}After doing this Jane will be able to read the resource.
Ian's software ( server or client - it does not matter ) somehow needs to find out how to ping Jane. They know Jane's WebID is <https://jane.org/profile#me>, so they can dereference the document at <https://jane.org/profile> for which they probably already have a cached version. If they don't have the full version but just want to find out what the relation they need is they can send the request. A simple GET on the profile will do.
Given that we have shown the obvious way to query in other examples, we show here out of interest a potential optimisation that would send the query in the body of the GET (see discussion on http-wg list ). (The query could also be in a Query header.)
GET /profile HTTP/1.1
Host: jane.org:443
Accept: text/turtle
Content-Type: application/sparql-query; charset=UTF-8
Content-Length: 123PREFIX solid: <http://solid.info/notification/ping#>
CONSTRUCT { <#me> as:ping ?where }
WHERE { <#me> as:ping ?where }If the server does not understand the query, it just returns the full document by default - that is what most servers will do actually do. This still needs to be finalised by ldp and http-wg. A more interesting type of query is probably the SPARQL "DESCRIBE" query which gives the minimal bounded graph around the URI.
The response may then in the best of case just be one short line:
@prefix solid: <http://solid.info/notification/ping#> .
<#me> as:ping </pingInbox/> .To send a notice the agent could send an activity stream event to the
<https://jane.org/pingInbox/> ldp:BasicContainer .
POST /pingInbox/ HTTP/1.1
Host: jane.org:443
Content-Type: text/turtle
Content-Length: 145@prefix as: <http://www.w3.org/ns/activitystreams#> .
[] as:Post ;
as:published "2015-02-10T15:04:55Z"^^xsd:dateTime ;
as:actor <https://ian.name/card#me> ;
as:object <https://ian.name/2014/financials> ;
as:target <https://ian.name/2014/> .{>> We are probably here abusing AS2.0 vocabulary here. We need to work out with the AS2.0 team what they think the right manner of doing this would be. <<}
And the server responds with a 201 created:
HTTP/1.1 201 Created
Accept-Patch: application/sparql-update
Access-Control-Allow-Origin: *
Allow: OPTIONS, GET, HEAD, SEARCH, PATCH
ETag: "v0"
Last-Modified: Sun, 1 April 2015 23:52:12 GMT
Link: <http://www.w3.org/ns/ldp#Resource>; rel="type"
Location: /pingInbox/ping20
Link: <ping20.wac>; rel=aclThe acl is in </pingInbox/ping20.wac> and it may say that the resource is only readable by the owner of the </pingInbox/> container and the sender of the resource in R/W.
{>> we need to find a way to have an ACL that automatically adds the author of the ACL to the authorisation <<} .
At this point we have the following set of links:
Jane reads her inbox at some point, and just does a normal GET on the `https://ian.name/2014/financials resource, using her certificate containing a WebID.