Re: [WAC] regexps in WebAccessControl from Nathan on 2012-11-19 (public-rww@w3.org from November 2012)

From: Nathan <nathan@webr3.org>
Date: Mon, 19 Nov 2012 10:53:51 +0000
To: Read-Write-Web <public-rww@w3.org>
Message-ID: <50AA0FBF.9050909@webr3.org>

Henry Story wrote:
> It is often useful to be able to specify that all resources in a 
> collection ( a directory ) or a whole namespace (say all resources
> under /user/jack/.* have read-write-execute access by joe .
...
>   It is also useful to be able to specify groups of users in general this
>   way, so for example one may want to specify that all employees of Oracle
>   have read access to a resource by doing a regexpression on WebIDs. Perhaps
>   like this https://oracle.com/ppl/[^/]*
...
>   For WebID testing it would be useful to have the group of all people
>   who have authenticated with a WebID. The wiki has it as a discussion point
>   to have a class wac:WebIDAgent [4] but I think regexpressions solve this 
>   much better, since it does not require all verification code to have a special
>   case for WebID Authenticated agents:
> 
> 1. Does this make sense? 

Almost.

> 2. Is the modelling ok?

IMHO, no.

There is no relation between http://example.org/directory/ and 
http://example.org/directory/file-a, all we have are two URIs, let's 
call them <x> and <y>.

If <x> is a directory, or a collection, or a container, or references 
<y>, or any other resource, then we should publish those relations as 
RDF. Then, the relation is no longer hidden, it's visible.

If it's visible, we can use it in WebACL.

Taking the regexp approach, whilst neat, relies on using out of band 
information that's hidden behind the uniform interface - that there is 
some magical relation between <x> and <y> that nobody knows or can see.

SOIC, LDP, and many others have taken the approach of exposing relations 
between resources, collection membership, this is the linked data way, 
WebACL is for the web, and for linked data.

If you know there is a relation between <https://oracle.com/ppl/> and 
<https://oracle.com/ppl/bob>, assert that relation in RDF, and if you 
want to give access to all the people <https://oracle.com/ppl/> refers 
to, then create a quick class using a restriction and give access to them.

This is a far more webby way to do things, and means that any URI can be 
added to the collection, and thus granted access, rather than just those 
which match a particular lexical form.

Hope that makes sense,

Best,

Nathan

ps: still kudos the regexp approach is nice and neat.

Received on Monday, 19 November 2012 10:54:51 UTC