- From: Henry Story <henry.story@bblfish.net>
- Date: Tue, 28 Jan 2014 14:16:36 +0100
- To: Erik Wilde <Erik.Wilde@emc.com>
- Cc: John Arwe <johnarwe@us.ibm.com>, "Linked Data Platform (LDP) Working Group" <public-ldp-wg@w3.org>
- Message-Id: <1FC0AA39-5ED3-45C2-A964-13E34EF206BD@bblfish.net>
On 16 Jan 2014, at 22:00, Wilde, Erik <Erik.Wilde@emc.com> wrote: > hello john. > > On 2014-01-16, 20:32 , "John Arwe" <johnarwe@us.ibm.com> wrote: >> It's still valuable, for all the reasons >> you point out. Clients simply have a higher "probability" >> (p=1.0) of receiving that hint from an LDP-compliant HTTP server. > > just adding to that from our implementation experience: determining access > rights can be a rather expensive operation, because it's based on > authenticated identity, roles, and rather complicated role-based access > models for resources. so for us, computing all access rights to all linked > resources would result in very bad UX, because it would take a lot of time > to complete, and the vast majority of accesses to those linked resources > are browsing (i.e., read) only. so what we have is a way for clients to > selectively request this kind of information, because clients know better > what they might need. forcing servers to always compute something that > might be expensive to compute and is not needed in probably >>99% of cases > is not something we would be willing to do, for our specific environment. Having coded a function to calculate this I agree that it can be potentially time consuming to calculate. [[ https://github.com/stample/rww-play/blob/master/app/rww/ldp/auth/WACAuthZ.scala#L238 /** * * @param on resource for which we are looking for rights * @param user verified WebIds of the authenticated user, or the empty list * @return a Future which will contain the list of wac:modes allowed: wac:Read, wac:Write, wac:Append */ def getAllowedMethodsForAgent(on: Rdf#URI, user: List[Rdf#URI]) : Future[Set[Rdf#URI]] ]] Now I suppose the answer could be cached for each resource ( how feasible is that?) but I agree with the point that making it mandatory would mostly be wasteful of server cpu cycles, as in most cases the client does not need the information. For cases where the information is required then an OPTIONS call would return the right information. The danger is that if we keep it as mandatory as we have it now, people might implement the Allow header to return not what the current user can do, but what the user with the most rights can do ( e.g.: the Admin ). If this happens then the Allow header will be mostly a useless hint for a client as to what types of actions he can do on the given resource. After all if Allow just means that the user with the most rights can do something, then it gives us no information in addition to something being either an LDPC or an LDPR, information which we allready have in the Link headers. And the word "Allow" does suggest that the methods that are returned are those that are "allowed". Otherwise I suppose it would have been called "Capabilities". So my argument, and I think yours, is that if Allow is mandatory on GET, HEAD then it won't be useful anymore due to bad implementations. Henry > > cheers, > > dret. > > Social Web Architect http://bblfish.net/
Received on Tuesday, 28 January 2014 13:17:11 UTC