Mirroristas/CommunitySolidServer
2
0
Fork 0
mirror of https://github.com/CommunitySolidServer/CommunitySolidServer.git synced 2024-10-03 14:55:10 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: Split WebAclReader behaviour over multiple classes

Browse Source
This commit is contained in:
Joachim Van Herwegen
2022-06-29 11:00:35 +02:00
parent 0ff05fd420
commit 7996fe5c3b
7 changed files with 598 additions and 346 deletions
Download Patch File Download Diff File Expand all files Collapse all files

115
src/authorization/ParentContainerReader.ts Normal file
View File

@@ -0,0 +1,115 @@
import type { CredentialGroup } from '../authentication/Credentials';
import type { ResourceIdentifier } from '../http/representation/ResourceIdentifier';
import { getLoggerFor } from '../logging/LogUtil';
import type { IdentifierStrategy } from '../util/identifiers/IdentifierStrategy';
import { IdentifierMap, IdentifierSetMultiMap } from '../util/map/IdentifierMap';
import type { MapEntry } from '../util/map/MapUtil';
import { modify } from '../util/map/MapUtil';
import type { PermissionReaderInput } from './PermissionReader';
import { PermissionReader } from './PermissionReader';
import type { PermissionMap, Permission, PermissionSet, AccessMap } from './permissions/Permissions';
import { AccessMode } from './permissions/Permissions';
/**
* Determines `delete` and `create` permissions for those resources that need it
* by making sure the parent container has the required permissions.
*
* Create requires `append` permissions on the parent container.
* Delete requires `write` permissions on both the parent container and the resource itself.
*/
export class ParentContainerReader extends PermissionReader {
protected readonly logger = getLoggerFor(this);
private readonly reader: PermissionReader;
private readonly identifierStrategy: IdentifierStrategy;
public constructor(reader: PermissionReader, identifierStrategy: IdentifierStrategy) {
super();
this.reader = reader;
this.identifierStrategy = identifierStrategy;
}
public async handle({ requestedModes, credentials }: PermissionReaderInput): Promise<PermissionMap> {
// Finds the entries for which we require parent container permissions
const containerMap = this.findParents(requestedModes);
// Merges the necessary parent container modes with the already requested modes
const combinedModes = modify(new IdentifierSetMultiMap(requestedModes), { add: containerMap.values() });
const result = await this.reader.handleSafe({ requestedModes: combinedModes, credentials });
// Updates the create/delete permissions based on the parent container permissions
for (const [ identifier, [ container ]] of containerMap) {
this.logger.debug(`Determining ${identifier.path} create and delete permissions based on ${container.path}`);
result.set(identifier, this.addContainerPermissions(result.get(identifier), result.get(container)));
}
return result;
}
/**
* Finds the identifiers for which we need parent permissions.
* Values are the parent identifier and the permissions they need.
*/
private findParents(requestedModes: AccessMap): IdentifierMap<MapEntry<AccessMap>> {
const containerMap = new IdentifierMap<[ResourceIdentifier, Set<AccessMode>]>();
for (const [ identifier, modes ] of requestedModes.entrySets()) {
if (modes.has(AccessMode.create) || modes.has(AccessMode.delete)) {
const container = this.identifierStrategy.getParentContainer(identifier);
containerMap.set(identifier, [ container, this.getParentModes(modes) ]);
}
}
return containerMap;
}
/**
* Determines which permissions are required on the parent container.
*/
private getParentModes(modes: ReadonlySet<AccessMode>): Set<AccessMode> {
const containerModes: Set<AccessMode> = new Set();
if (modes.has(AccessMode.create)) {
containerModes.add(AccessMode.append);
}
if (modes.has(AccessMode.delete)) {
containerModes.add(AccessMode.write);
}
return containerModes;
}
/**
* Merges the container permission set into the resource permission set
* based on the parent container rules for create/delete permissions.
*/
private addContainerPermissions(resourceSet?: PermissionSet, containerSet?: PermissionSet): PermissionSet {
resourceSet = resourceSet ?? {};
containerSet = containerSet ?? {};
// Already copying the `permissionSet` here since the loop only iterates over the container entries.
// It is possible `resourceSet` contains a key that `containerSet` does not contain.
const resultSet: PermissionSet = { ...resourceSet };
for (const [ group, containerPermission ] of Object.entries(containerSet) as [ CredentialGroup, Permission ][]) {
resultSet[group] = this.interpretContainerPermission(resourceSet[group] ?? {}, containerPermission);
}
return resultSet;
}
/**
* Determines the create and delete permissions for the given resource permissions
* based on those of its parent container.
*/
private interpretContainerPermission(resourcePermission: Permission, containerPermission: Permission): Permission {
const mergedPermission = { ...resourcePermission };
// https://solidproject.org/TR/2021/wac-20210711:
// When an operation requests to create a resource as a member of a container resource,
// the server MUST match an Authorization allowing the acl:Append or acl:Write access privilege
// on the container for new members.
mergedPermission.create = containerPermission.append && resourcePermission.create !== false;
// https://solidproject.org/TR/2021/wac-20210711:
// When an operation requests to delete a resource,
// the server MUST match Authorizations allowing the acl:Write access privilege
// on the resource and the containing container.
mergedPermission.delete = resourcePermission.write && containerPermission.write &&
resourcePermission.delete !== false;
return mergedPermission;
}
}

76
src/authorization/WebAclAuxiliaryReader.ts Normal file
View File

@@ -0,0 +1,76 @@
import type { CredentialGroup } from '../authentication/Credentials';
import type { AuxiliaryStrategy } from '../http/auxiliary/AuxiliaryStrategy';
import type { ResourceIdentifier } from '../http/representation/ResourceIdentifier';
import { getLoggerFor } from '../logging/LogUtil';
import { IdentifierSetMultiMap } from '../util/map/IdentifierMap';
import type { MapEntry } from '../util/map/MapUtil';
import { modify } from '../util/map/MapUtil';
import type { PermissionReaderInput } from './PermissionReader';
import { PermissionReader } from './PermissionReader';
import { AclMode } from './permissions/AclPermission';
import type { AclPermission } from './permissions/AclPermission';
import type { AccessMap, AccessMode, PermissionMap, PermissionSet } from './permissions/Permissions';
/**
* Determines the permission for ACL auxiliary resources.
* This is done by looking for control permissions on the subject resource.
*/
export class WebAclAuxiliaryReader extends PermissionReader {
protected readonly logger = getLoggerFor(this);
private readonly reader: PermissionReader;
private readonly aclStrategy: AuxiliaryStrategy;
public constructor(reader: PermissionReader, aclStrategy: AuxiliaryStrategy) {
super();
this.reader = reader;
this.aclStrategy = aclStrategy;
}
public async handle({ requestedModes, credentials }: PermissionReaderInput): Promise<PermissionMap> {
// Finds all the ACL identifiers
const aclMap = new Map(this.findAcl(requestedModes));
// Replaces the ACL identifies with the corresponding subject identifiers
const updatedMap = modify(new IdentifierSetMultiMap(requestedModes),
{ add: aclMap.values(), remove: aclMap.keys() });
const result = await this.reader.handleSafe({ requestedModes: updatedMap, credentials });
// Extracts the ACL permissions based on the subject control permissions
for (const [ identifier, [ subject ]] of aclMap) {
this.logger.debug(`Mapping ${subject.path} control permission to all permissions for ${identifier.path}`);
result.set(identifier, this.interpretControl(identifier, result.get(subject)));
}
return result;
}
/**
* Finds all ACL identifiers and maps them to their subject identifier and the requested modes.
*/
private* findAcl(accessMap: AccessMap): Iterable<[ResourceIdentifier, MapEntry<AccessMap>]> {
for (const [ identifier ] of accessMap) {
if (this.aclStrategy.isAuxiliaryIdentifier(identifier)) {
const subject = this.aclStrategy.getSubjectIdentifier(identifier);
// Unfortunately there is no enum inheritance so we have to cast like this
yield [ identifier, [ subject, new Set([ AclMode.control ] as unknown as AccessMode[]) ]];
}
}
}
/**
* Updates the permissions for an ACL resource by interpreting the Control access mode as allowing full access.
*/
protected interpretControl(identifier: ResourceIdentifier, permissionSet: PermissionSet = {}): PermissionSet {
const aclSet: PermissionSet = {};
for (const [ group, permissions ] of Object.entries(permissionSet) as [ CredentialGroup, AclPermission ][]) {
const { control } = permissions;
aclSet[group] = {
read: control,
append: control,
write: control,
control,
} as AclPermission;
}
return aclSet;
}
}

277
src/authorization/WebAclReader.ts
View File

@@ -4,13 +4,14 @@ import { CredentialGroup } from '../authentication/Credentials';
import type { AuxiliaryIdentifierStrategy } from '../http/auxiliary/AuxiliaryIdentifierStrategy';
import type { ResourceIdentifier } from '../http/representation/ResourceIdentifier';
import { getLoggerFor } from '../logging/LogUtil';
import type { ResourceSet } from '../storage/ResourceSet';
import type { ResourceStore } from '../storage/ResourceStore';
import { INTERNAL_QUADS } from '../util/ContentTypes';
import { createErrorMessage } from '../util/errors/ErrorUtil';
import { ForbiddenHttpError } from '../util/errors/ForbiddenHttpError';
import { InternalServerError } from '../util/errors/InternalServerError';
import { NotFoundHttpError } from '../util/errors/NotFoundHttpError';
import type { IdentifierStrategy } from '../util/identifiers/IdentifierStrategy';
import { IdentifierMap, IdentifierSetMultiMap } from '../util/map/IdentifierMap';
import { readableToQuads } from '../util/StreamUtil';
import { ACL, RDF } from '../util/Vocabularies';
import type { AccessChecker } from './access/AccessChecker';
@@ -18,7 +19,7 @@ import type { PermissionReaderInput } from './PermissionReader';
import { PermissionReader } from './PermissionReader';
import type { AclPermission } from './permissions/AclPermission';
import { AclMode } from './permissions/AclPermission';
import type { PermissionSet } from './permissions/Permissions';
import type { PermissionMap } from './permissions/Permissions';
import { AccessMode } from './permissions/Permissions';
// Maps WebACL-specific modes to generic access modes.
@@ -29,24 +30,27 @@ const modesMap: Record<string, Readonly<(keyof AclPermission)[]>> = {
[ACL.Control]: [ AclMode.control ],
} as const;
type AclSet = { targetAcl: Store; parentAcl?: Store };
/**
* Handles permissions according to the WAC specification.
* Finds the permissions of a resource as defined in the corresponding ACL resource.
* Does not make any deductions such as checking parent containers for create permissions
* or applying control permissions for ACL resources.
*
* Specific access checks are done by the provided {@link AccessChecker}.
*/
export class WebAclReader extends PermissionReader {
protected readonly logger = getLoggerFor(this);
private readonly aclStrategy: AuxiliaryIdentifierStrategy;
private readonly resourceSet: ResourceSet;
private readonly aclStore: ResourceStore;
private readonly identifierStrategy: IdentifierStrategy;
private readonly accessChecker: AccessChecker;
public constructor(aclStrategy: AuxiliaryIdentifierStrategy, aclStore: ResourceStore,
public constructor(aclStrategy: AuxiliaryIdentifierStrategy, resourceSet: ResourceSet, aclStore: ResourceStore,
identifierStrategy: IdentifierStrategy, accessChecker: AccessChecker) {
super();
this.aclStrategy = aclStrategy;
this.resourceSet = resourceSet;
this.aclStore = aclStore;
this.identifierStrategy = identifierStrategy;
this.accessChecker = accessChecker;
@@ -57,79 +61,57 @@ export class WebAclReader extends PermissionReader {
* Will throw an error if this is not the case.
* @param input - Relevant data needed to check if access can be granted.
*/
public async handle({ identifier, credentials, modes }: PermissionReaderInput):
Promise<PermissionSet> {
public async handle({ credentials, requestedModes }: PermissionReaderInput): Promise<PermissionMap> {
// Determine the required access modes
this.logger.debug(`Retrieving permissions of ${credentials.agent?.webId} for ${identifier.path}`);
const isAclResource = this.aclStrategy.isAuxiliaryIdentifier(identifier);
const mainIdentifier = isAclResource ? this.aclStrategy.getSubjectIdentifier(identifier) : identifier;
// Adding or removing resources changes the container listing
const requiresContainerCheck = modes.has(AccessMode.create) || modes.has(AccessMode.delete);
// Rather than restricting the search to only the required modes,
// we collect all modes in order to have complete metadata (for instance, for the WAC-Allow header).
const acl = await this.getAcl(mainIdentifier, requiresContainerCheck);
const permissions = await this.findPermissions(acl.targetAcl, credentials, isAclResource);
if (requiresContainerCheck) {
this.logger.debug(`Determining ${identifier.path} permissions requires verifying parent container permissions`);
const parentPermissions = acl.targetAcl === acl.parentAcl ?
permissions :
await this.findPermissions(acl.parentAcl!, credentials, false);
// https://solidproject.org/TR/2021/wac-20210711:
// When an operation requests to create a resource as a member of a container resource,
// the server MUST match an Authorization allowing the acl:Append or acl:Write access privilege
// on the container for new members.
permissions[CredentialGroup.agent]!.create = parentPermissions[CredentialGroup.agent]!.append;
permissions[CredentialGroup.public]!.create = parentPermissions[CredentialGroup.public]!.append;
// https://solidproject.org/TR/2021/wac-20210711:
// When an operation requests to delete a resource,
// the server MUST match Authorizations allowing the acl:Write access privilege
// on the resource and the containing container.
permissions[CredentialGroup.agent]!.delete =
permissions[CredentialGroup.agent]!.write && parentPermissions[CredentialGroup.agent]!.write;
permissions[CredentialGroup.public]!.delete =
permissions[CredentialGroup.public]!.write && parentPermissions[CredentialGroup.public]!.write;
}
return permissions;
this.logger.debug(`Retrieving permissions of ${credentials.agent?.webId ?? 'an unknown agent'}`);
const aclMap = await this.getAclMatches(requestedModes.distinctKeys());
const storeMap = await this.findAuthorizationStatements(aclMap);
return await this.findPermissions(storeMap, credentials);
}
/**
* Finds the permissions in the provided WebACL quads.
* @param acl - Store containing all relevant authorization triples.
*
* Rather than restricting the search to only the required modes,
* we collect all modes in order to have complete metadata (for instance, for the WAC-Allow header).
*
* @param aclMap - A map containing stores of ACL data linked to their relevant identifiers.
* @param credentials - Credentials to check permissions for.
* @param isAcl - If the target resource is an acl document.
*/
private async findPermissions(acl: Store, credentials: CredentialSet, isAcl: boolean): Promise<PermissionSet> {
const publicPermissions = await this.determinePermissions(acl, credentials.public);
const agentPermissions = await this.determinePermissions(acl, credentials.agent);
private async findPermissions(aclMap: Map<Store, ResourceIdentifier[]>, credentials: CredentialSet):
Promise<PermissionMap> {
const result: PermissionMap = new IdentifierMap();
for (const [ store, aclIdentifiers ] of aclMap) {
// WebACL only supports public and agent permissions
const publicPermissions = await this.determinePermissions(store, credentials.public);
const agentPermissions = await this.determinePermissions(store, credentials.agent);
for (const identifier of aclIdentifiers) {
result.set(identifier, {
[CredentialGroup.public]: publicPermissions,
[CredentialGroup.agent]: agentPermissions,
});
}
}
return {
[CredentialGroup.agent]: this.updateAclPermissions(agentPermissions, isAcl),
[CredentialGroup.public]: this.updateAclPermissions(publicPermissions, isAcl),
};
return result;
}
/**
* Determines the available permissions for the given credentials.
* Will deny all permissions if credentials are not defined
* @param acl - Store containing all relevant authorization triples.
* @param credentials - Credentials to find the permissions for.
* @param credential - Credentials to find the permissions for.
*/
private async determinePermissions(acl: Store, credentials?: Credential): Promise<AclPermission> {
private async determinePermissions(acl: Store, credential?: Credential): Promise<AclPermission> {
const aclPermissions: AclPermission = {};
if (!credentials) {
if (!credential) {
return aclPermissions;
}
// Apply all ACL rules
const aclRules = acl.getSubjects(RDF.type, ACL.Authorization, null);
for (const rule of aclRules) {
const hasAccess = await this.accessChecker.handleSafe({ acl, rule, credential: credentials });
const hasAccess = await this.accessChecker.handleSafe({ acl, rule, credential });
if (hasAccess) {
// Set all allowed modes to true
const modes = acl.getObjects(rule, ACL.mode, null);
@@ -147,122 +129,101 @@ export class WebAclReader extends PermissionReader {
}
/**
* Sets the correct values for non-acl permissions such as create and delete.
* Also adds the correct values to indicate that having control permission
* implies having read/write/etc. on the acl resource.
* Finds the ACL data relevant for all the given resources.
* The input set will be modified in place.
*
* The main reason for keeping the control value is so we can correctly set the WAC-Allow header later.
* @param targets - Targets to find ACL data for.
*
* @returns A map linking ACL resources to the relevant identifiers.
*/
private updateAclPermissions(aclPermissions: AclPermission, isAcl: boolean): AclPermission {
if (isAcl) {
return {
read: aclPermissions.control,
append: aclPermissions.control,
write: aclPermissions.control,
create: aclPermissions.control,
delete: aclPermissions.control,
control: aclPermissions.control,
};
private async getAclMatches(targets: Iterable<ResourceIdentifier>):
Promise<IdentifierSetMultiMap<ResourceIdentifier>> {
const aclMap = new IdentifierSetMultiMap<ResourceIdentifier>();
for (const target of targets) {
this.logger.debug(`Searching ACL data for ${target.path}`);
const aclIdentifier = await this.getAclRecursive(target);
aclMap.add(aclIdentifier, target);
}
return {
...aclPermissions,
create: aclPermissions.write,
delete: aclPermissions.write,
};
return aclMap;
}
/**
* Finds the ACL data relevant for its resource, and potentially its parent if required.
* All quads in the resulting store(s) can be interpreted as being relevant ACL rules for their target.
* Finds the ACL document relevant for the given identifier,
* following the steps defined in https://solidproject.org/TR/2021/wac-20210711#effective-acl-resource.
*
* @param target - Target to find ACL data for.
* @param includeParent - If parent ACL data is also needed.
* @param identifier - {@link ResourceIdentifier} of which we need the ACL document.
*
* @returns The relevant triples.
* @returns The {@link ResourceIdentifier} of the relevant ACL document.
*/
private async getAcl(target: ResourceIdentifier, includeParent: boolean): Promise<AclSet> {
this.logger.debug(`Searching ACL data for ${target.path}${includeParent ? 'and its parent' : ''}`);
const to = includeParent ? this.identifierStrategy.getParentContainer(target) : target;
const acl = await this.getAclRecursive(target, to);
// The only possible case where `acl` has 2 values instead of 1
// is when the `target` has an acl, and `includeParent` is true.
const keys = Object.keys(acl);
if (keys.length === 2) {
const result: AclSet = { targetAcl: await this.filterStore(acl[target.path], target.path, true) };
// The other key will be the parent
const parentKey = keys.find((key): boolean => key !== target.path)!;
result.parentAcl = await this.filterStore(acl[parentKey], parentKey, parentKey === to.path);
return result;
}
// Only 1 key: no parent was requested, target had no direct acl resource, or both
const [ path, store ] = Object.entries(acl)[0];
const result: AclSet = { targetAcl: await this.filterStore(store, path, path === target.path) };
if (includeParent) {
// In case the path is not the parent, it will also just use the defaults just like the target
result.parentAcl = path === to.path ? await this.filterStore(store, path, true) : result.targetAcl;
}
return result;
}
/**
* Finds the ACL resources from all resources in the path between the two (inclusive) identifiers.
* It is important that `from` is a child path of `to`, otherwise behaviour is undefined.
*
* The result is a key/value object with the keys being the identifiers of resources in the path
* that had a corresponding ACL resource, and the value being the contents of that ACL resource.
*
* The function stops after it finds an ACL resource relevant for the `to` identifier.
* This is either its corresponding ACL resource, or one if its parent containers if such a resource does not exist.
*
* Rethrows any non-NotFoundHttpErrors thrown by the ResourceStore.
* @param from - First resource in the path for which ACL data is needed.
* @param to - Last resource in the path for which ACL data is needed.
*
* @returns A map with the key being the actual identifier of which the ACL was found
* and a list of all data found within.
*/
private async getAclRecursive(from: ResourceIdentifier, to: ResourceIdentifier): Promise<Record<string, Store>> {
private async getAclRecursive(identifier: ResourceIdentifier): Promise<ResourceIdentifier> {
// Obtain the direct ACL document for the resource, if it exists
this.logger.debug(`Trying to read the direct ACL document of ${from.path}`);
const result: Record<string, Store> = {};
try {
const acl = this.aclStrategy.getAuxiliaryIdentifier(from);
this.logger.debug(`Trying to read the ACL document ${acl.path}`);
const data = await this.aclStore.getRepresentation(acl, { type: { [INTERNAL_QUADS]: 1 }});
this.logger.info(`Reading ACL statements from ${acl.path}`);
this.logger.debug(`Trying to read the direct ACL document of ${identifier.path}`);
result[from.path] = await readableToQuads(data.data);
const acl = this.aclStrategy.getAuxiliaryIdentifier(identifier);
this.logger.debug(`Determining existence of ${acl.path}`);
if (await this.resourceSet.hasResource(acl)) {
this.logger.info(`Found applicable ACL document ${acl.path}`);
return acl;
}
this.logger.debug(`No direct ACL document found for ${identifier.path}`);
if (from.path.length <= to.path.length) {
return result;
}
} catch (error: unknown) {
if (NotFoundHttpError.isInstance(error)) {
this.logger.debug(`No direct ACL document found for ${from.path}`);
} else {
const message = `Error reading ACL for ${from.path}: ${createErrorMessage(error)}`;
// Find the applicable ACL document of the parent container
this.logger.debug(`Traversing to the parent of ${identifier.path}`);
if (this.identifierStrategy.isRootContainer(identifier)) {
this.logger.error(`No ACL document found for root container ${identifier.path}`);
// https://solidproject.org/TR/2021/wac-20210711#acl-resource-representation
// The root container MUST have an ACL resource with a representation.
throw new ForbiddenHttpError('No ACL document found for root container');
}
const parent = this.identifierStrategy.getParentContainer(identifier);
return this.getAclRecursive(parent);
}
/**
* For every ACL/identifier combination it finds the relevant ACL triples for that identifier.
* This is done in such a way that store results are reused for all matching identifiers.
* The split is based on the `acl:accessTo` and `acl:default` triples.
*
* @param map - Map of matches that need to be filtered.
*/
private async findAuthorizationStatements(map: IdentifierSetMultiMap<ResourceIdentifier>):
Promise<Map<Store, ResourceIdentifier[]>> {
// For every found ACL document, filter out triples that match for specific identifiers
const result = new Map<Store, ResourceIdentifier[]>();
for (const [ aclIdentifier, matchedTargets ] of map.entrySets()) {
const subject = this.aclStrategy.getSubjectIdentifier(aclIdentifier);
this.logger.debug(`Trying to read the ACL document ${aclIdentifier.path}`);
let contents: Store;
try {
const data = await this.aclStore.getRepresentation(aclIdentifier, { type: { [INTERNAL_QUADS]: 1 }});
contents = await readableToQuads(data.data);
} catch (error: unknown) {
// Something is wrong with the server if we can't read the resource
const message = `Error reading ACL resource ${aclIdentifier.path}: ${createErrorMessage(error)}`;
this.logger.error(message);
throw new InternalServerError(message, { cause: error });
}
}
// Obtain the applicable ACL of the parent container
this.logger.debug(`Traversing to the parent of ${from.path}`);
if (this.identifierStrategy.isRootContainer(from)) {
this.logger.error(`No ACL document found for root container ${from.path}`);
// Solid, §10.1: "In the event that a server cant apply an ACL to a resource, it MUST deny access."
// https://solid.github.io/specification/protocol#web-access-control
throw new ForbiddenHttpError('No ACL document found for root container');
// SubjectIdentifiers are those that match the subject identifier of the found ACL document (so max 1).
// Due to how the effective ACL document is found, all other identifiers must be (transitive) children.
// This has impact on whether the `acl:accessTo` or `acl:default` predicate needs to be checked.
const subjectIdentifiers: ResourceIdentifier[] = [];
const childIdentifiers: ResourceIdentifier[] = [];
for (const target of matchedTargets) {
(target.path === subject.path ? subjectIdentifiers : childIdentifiers).push(target);
}
if (subjectIdentifiers.length > 0) {
const subjectStore = await this.filterStore(contents, subject.path, true);
result.set(subjectStore, subjectIdentifiers);
}
if (childIdentifiers.length > 0) {
const childStore = await this.filterStore(contents, subject.path, false);
result.set(childStore, childIdentifiers);
}
}
const parent = this.identifierStrategy.getParentContainer(from);
return {
...result,
...await this.getAclRecursive(parent, to),
};
return result;
}
/**
@@ -279,7 +240,9 @@ export class WebAclReader extends PermissionReader {
// Find subjects that occur with a given predicate/object, and collect all their triples
const subjectData = new Store();
const subjects = store.getSubjects(directAcl ? ACL.terms.accessTo : ACL.terms.default, target, null);
subjects.forEach((subject): any => subjectData.addQuads(store.getQuads(subject, null, null, null)));
for (const subject of subjects) {
subjectData.addQuads(store.getQuads(subject, null, null, null));
}
return subjectData;
}
}