-
Notifications
You must be signed in to change notification settings - Fork 1
/
acl-changes.ttl
142 lines (112 loc) · 5.74 KB
/
acl-changes.ttl
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
# this file contains changes and additions to http://www.w3.org/ns/auth/acl
# that correspond to auth.py's implementation.
@prefix acl: <http://www.w3.org/ns/auth/acl#> .
@prefix : <http://www.w3.org/2000/01/rdf-schema#> .
@prefix foaf: <http://xmlns.com/foaf/0.1/> .
@prefix rdf: <http://www.w3.org/1999/02/22-rdf-syntax-ns#> .
@prefix xsd: <http://www.w3.org/2001/XMLSchema#> .
# changed
acl:default a rdf:Property;
:comment """When this Access Control Resource is inherited, this acl:Authorization
shall be considered if, and only if, this property is present and not false.""";
:domain acl:Authorization;
:range xsd:boolean .
# changed
acl:accessTo a rdf:Property;
:comment "OBSOLETE and ignored, use acl:accessToClass instead." .
# changed
acl:accessToClass a rdf:Property;
:comment """A class of information resource to which access is being granted.
An 'acl:accessToClass acl:Resource' shall be inferred if no acl:accessToClass
is explicitly specified in an acl:Authorization. The value of this property
is constrained to class acl:Resource and its subclasses.""";
:domain acl:Authorization;
:label "to all in";
:range :Class . # specifically, the class acl:Resource and its subclasses.
# all of the below are new
acl:Search a :Class;
:subClassOf acl:Access;
:comment """Allows traversal of a container/directory to a resource.
acl:Search MUST be granted (explicitly or implicitly) from the root down
through containers to the leaf resource, including the leaf itself if it
is a container.
In an Access Control Resource for a container having no acl:Authorization
containing an 'acl:mode acl:Search', an access controller SHALL allow
acl:Search to all, including inheritors, as if the following were present:
[]
a acl:Authorization;
acl:mode acl:Search;
acl:agentClass foaf:Agent;
acl:origin "*";
acl:accessToClass acl:Container;
acl:default true .""" .
acl:excludeAgent a rdf:Property;
:comment "No Authorization, where the Agent is the object of this triple, shall be eligible to authorize an Access.";
:domain acl:Authorization;
:range: foaf:Agent .
acl:excludeAgentGroup a rdf:Property;
:comment """No Authorization, where the Agent is a member of the Group that is the object of this
triple, shall be eligible to authorize an Access.""";
:domain acl:Authorization;
:range <http://www.w3.org/2006/vcard/ns#Group> .
acl:excludeOrigin a rdf:Property;
:comment "No Authorization, where the effective origin of the request is the object of this triple, shall be eligible to authorize an Access.";
:domain acl:Authorization;
:range: acl:Origin .
acl:app a rdf:Property;
:comment """EXPERIMENTAL alternative for acl:origin. An Authorization may be considered for
selection if this exactly matches the beginning of the app identifier URI (for example,
an OAuth2 redirect_uri). For example, 'acl:app "https://foo.example/oauth/"' matches
an app identifier of <https://foo.example/oauth/redirect.html>.""";
:domain acl:Authorization;
:range :Literal .
acl:tag a rdf:Property;
:comment """EXPERIMENTAL alternative for acl:origin. A tag or scope specification.
An Authorization may be considered for selection if the application matches the tag.
The method by which tags are matched with applications, and the method by which
applications are tagged, are reserved for the implementation.""";
:domain acl:Authorization;
:range :Literal .
acl:Resource a :Class;
:comment "The class of all resources subject to Web Access Control; for use with acl:accessToClass." .
acl:SubResource a :Class;
:comment "The class of all resources excluding the container whose Access Control Resource this is.";
:subClassOf acl:Resource .
acl:Container a :Class;
:comment "The class of all containers/directories.";
:subClassOf acl:Resource .
acl:SubContainer a :Class;
:comment "The class of all containers excluding the one whose Access Control Resource this is.";
:subClassOf acl:Container, acl:SubResource .
acl:Document a :Class;
:comment "The class of all non-container resources.";
:subClassOf acl:SubResource .
# !!! EXPERIMENTAL !!! app tagging related additions. very work-in-progress.
acl:AppAuthorization a :Class;
:comment """A tag assignment rule, mapping an application and resource server to zero or more tags.
An AppAuthorization must have an acl:resourceServer, acl:app (or acl:origin), and zero or more acl:tag s.""" .
acl:appAuthorizations a rdf:Property;
:comment """A URI prefix for the user's valid app authorization documents. Any app authorization document
MUST be at a sub-path of one of the user's acl:appAuthorizations or it MUST be ignored.""";
:domain foaf:Agent;
:range :Container .
acl:ResourceServer a :Class;
:comment "A web server, having an acl:origin and an acl:realm." .
acl:TagMode a :Class;
:comment "A set of tags and the access modes to which they apply, having one or more acl:tag and one or more acl:mode" .
acl:origin :domain acl:ResourceServer . # also.
acl:realm a rdf:Property;
:comment "A realm (name of the protection space) at an origin, if any.";
:domain acl:ResourceServer;
:range :Literal .
acl:resourceServer a rdf:Property;
:comment "The server to which this AppAuthorization applies";
:domain acl:AppAuthorization;
:range acl:ResourceServer .
acl:tagMode a rdf:Property;
:comment "Tags and access modes for this AppAuthorization";
:domain acl:AppAuthorization;
:range acl:TagMode .
acl:tag :domain acl:AppAuthorization . # also.
acl:app :domain acl:AppAuthorization . # also.
acl:origin :domain acl:AppAuthorization . # also.