For debugging purposes, it would be useful if we could grant people permission to see a .acl file.
Or even just have a debug flag to switch that on.
Interesting! So like, a ‘—debug’ flag you can start the server with, to enable things like seeing .acls?
Yes. Or perhaps a more specific flag/option even, like publicACL.
Maybe. (Considered the option of changing the ACL system to allow a new mode, but the stability of the ACL system is more important. When someone is denied access, do you tell then which group they need to join to get access? Sometimes that is valuable socially, and valuable for on-boarding. People generally regard it as bad security to be open about such things so you basically enumerate the attack vectors.)
But as a config option, it could make sense, during testing. What would also be brilliant in the body of the error response is a breakdown of where the ACL logic decided no, which ACL file was used, and where the query failed, but "where the query failed" is hard to define and hard to code IMHO)
When someone is denied access, do you tell then which group they need to join to get access? Sometimes that is valuable socially, and valuable for on-boarding. People generally regard it as bad security to be open about such things so you basically enumerate the attack vectors.
I wonder if we can implement that as an explicit Read permission on the .acl. Right now, we only have Control to capture Read + Write in the specific case of .acl.
What would also be brilliant in the body of the error response is a breakdown of where the ACL logic decided no, which ACL file was used
Indeed. That sort of debug information is easy to gather.
And in the mid to long term, these should be N3 proofs of course 😄