Bug when adding yourself as a friend

[Omitg24]

Description

My teammate, @uo284373, and I had to delete our account due to a problem we encountered while managing permissions for our Software Architecture course teamwork at UNIOVI. We were implementing a "friends" feature where users could read from each other's POD. To access another user's POD, you need their permission. We added the functionality to give and remove permissions, but we faced a serious problem.

Problem

We accidentally added ourselves as friends, and then removed our own permission to read from our POD, specifically our private folder. Unfortunately, we were unable to restore the permission later, which resulted in us having to delete our accounts and create new ones.

It's possible that we made a mistake, or maybe we misused SOLID PODs. Regardless, I wanted to share our experience in case others have encountered a similar issue.

Possible fix

To avoid this error, users should not be able to add themselves as friends, cause I don't see any benefits to adding yourself as a friend, but I've said before, I could be mistaken.

[bourgeoa]

Thanks for reporting.
To help understand your problem could you tell us more:

• server used : NSS, CSS, public instance
• where do you store your friends ? Are you using agent Group ?
• how did you lock you out of your pod ?
  This is strange Pod owner has access to all ACL's

[elf-pavlik]

Sounds related to solid/specification#67

[bourgeoa]

NSS and CSS have implemented Owner to avoid lockout:

• NSS There could be multiple owners nodeSolidServer/node-solid-server#1606
• CSS https://matrix.to/#/!FYRTVjiUaXQvzzfwZM:gitter.im/$fhp1sTYojmsBnTwbtbby_WXeRrm0lMNicF3ZFw_giRM?via=gitter.im&via=matrix.org&via=attendees.fosdem.org

[uo284373]

Good night:
The problem that my partner @Omitg24 and I have encountered has been while developing an application in react using typescript. The objective of the application is to create personalized maps in which users can add markers with the places they have visited including comments and photos. To do this, we save the maps added by users in the POD inside a "lomap" folder that we create using jsonld format. So, from the application we allow the option to add friends to the POD when the user enters the webId of his friend. In addition, in order to see friends' bookmarks, we give the user the option to give permissions to their friends.
The problem we have found is that if the user enters his own webId he can add himself as a friend and if he gives himself permissions for some reason he stops having access to his maps.
To give permissions to the user's friends we generate the ACLs if they are not created and if not we take them and then through the setAgentResourceAccess function and the setAgentDefaultAccess function we set the read permissions. So the error is that by adding yourself as a friend and giving you permissions, they lose access to that folder to which you are giving permissions.

[bourgeoa]

So the error is that by adding yourself as a friend and giving you permissions,

You shall check that you are not your own freiend

they lose access to that folder to which you are giving permissions

You can repair this by editing the folder permissions. An owner can change all ACL resources in the pod even when he has no explicit Control in that ACL resource.

[Omitg24]

Yeah, I know, but in that case we ended, we added ourselves as a friend by mistake, and also, we gave us permissions so it kind of broke everything and we weren't able to access our folder or either repair it.

We are commenting this, just in case its not working as it should, but as I've said, maybe it was a mistake of ours...

[bourgeoa]

To help you more or see if something is wrong you need to give some real information. Like a link to the folder. Which server you are using.

Without this we cannot do anything not even trying to reproduce or resolve an issue.