Control access on the container #33
Description
While working on ACL tests, I had two tests that simply accessed the container's .acl, but with different permissions, one had:
<#0>
a <http://www.w3.org/ns/auth/acl#Authorization>;
<http://www.w3.org/ns/auth/acl#default> <./> ;
<http://www.w3.org/ns/auth/acl#agent> <https://tim.localhost:7777/profile/card#me> ;
<http://www.w3.org/ns/auth/acl#mode> <http://www.w3.org/ns/auth/acl#Write>, <http://www.w3.org/ns/auth/acl#Control>. and the other:
<#Owner>
a <http://www.w3.org/ns/auth/acl#Authorization> ;
<http://www.w3.org/ns/auth/acl#accessTo> <./>;
<http://www.w3.org/ns/auth/acl#agent> <https://tim.localhost:7777/profile/card#me>;
<http://www.w3.org/ns/auth/acl#mode> <http://www.w3.org/ns/auth/acl#Read>, <http://www.w3.org/ns/auth/acl#Write>, <http://www.w3.org/ns/auth/acl#Control> .Now, I'm underslept due to being held awake by kids and coughing, so excuse me if I'm wrong, but this seems to be two different interpretations of what the ACL file is. In the first test, the .acl is a resource like the others, and so you grant Control to that. And that seems like a misunderstanding that I recently held too. My interpretation of this authorization is that you grant control to the resources in the container, not the container itself, and thus not Control to the container's ACL file.
In the latter case, Control is granted on the container, and therefore you can read and write .acl.
Given that both tests are testing access to the .acl, I'm inclined to say that the first tests is wrong, it needs a <http://www.w3.org/ns/auth/acl#accessTo> <./>; predicate-object in the ACL.
Alternatively, we could check for permissions viewing the .acl from both angles, so that both tests will pass as they stand.
I think it could use some detailing in the spec, thus this issue.