Hi,

Good question.  The easiest workaround would be to return URIs of all
resources, regardless of the ownership/policy - if the user wants to
retrieve representation of the  particular resource, then the
authorisation applies.  This will not break protection of confidential
resources, since the client will get only links, not resources
themselves.  And this is how typical web page works as well - you can
see the links, but accessing the links might require AA.

In fact, retrieving list of resources should rely on the policy for the
top level resource (e.g. /model )  , which might have GET allowed for
everybody.

Best regards,
Nina

chung wrote:
> Hi All, 
>   If a user needs a list of all models or datasets (either a URI list or
> an RDF document) is the service supposed to return only his resources
> neglecting all other or list all resources to which the user has access?
>
>  In the first case I guess some identifier for the user has to be saved
> in the database (e.g. bob at opentox.org). Checking all resources in the
> database for authorization one by one I think is out of the question for
> this would be a bottleneck. Maybe it is worth think about how can the
> client obtain a list of all resources it can access which of course
> might have been created by other users.
>
> Best regards,
> Pantelis
>
> _______________________________________________
> Development mailing list
> Development at opentox.org
> http://www.opentox.org/mailman/listinfo/development
>