Enforce ContentMode block-type restriction via SPIN constraint

namedgraph · claude · namedgraph · commit 744dfcbbf5bf · 2026-05-17T16:42:53.000+02:00
Add ldh:InvalidContentBlockType matching rdf:_N values whose explicit
type is neither ldh:Object nor ldh:XHTML, attached to def:Root, dh:Item,
dh:Container. Match rdf:_N by URI shape (REGEX) since RDFS inference
isn't enabled in the validation pipeline.

The constraint requires `?block a [] .` so it only fires on blocks with
an explicit non-Object/XHTML type — untyped/unknown blocks pass.
DocumentHierarchyGraphStoreImpl.patch() validates only triples of
changed resources, so neighbours' type triples aren't visible; a strict
"must be typed Object/XHTML" check would false-positive on every PATCH
of an existing Root/Container/Item.

Cover with positive and negative HTTP tests for both PUT and PATCH:
- PUT-content-blocks.sh accepts well-typed Object+XHTML blocks
- PUT-invalid-content-block-422.sh rejects sp:Construct in rdf:_N
- PATCH-invalid-content-block-422.sh mirrors the PUT negative on PATCH
- PATCH.sh unchanged in intent (untyped insertion remains 204)

Co-Authored-By: Claude Opus 4.7 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/http-tests/document-hierarchy/PATCH-invalid-content-block-422.sh b/http-tests/document-hierarchy/PATCH-invalid-content-block-422.sh
@@ -0,0 +1,45 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+initialize_dataset "$END_USER_BASE_URL" "$TMP_END_USER_DATASET" "$END_USER_ENDPOINT_URL"
+initialize_dataset "$ADMIN_BASE_URL" "$TMP_ADMIN_DATASET" "$ADMIN_ENDPOINT_URL"
+purge_cache "$END_USER_VARNISH_SERVICE"
+purge_cache "$ADMIN_VARNISH_SERVICE"
+purge_cache "$FRONTEND_VARNISH_SERVICE"
+
+# add agent to the writers group
+
+add-agent-to-group.sh \
+  -f "$OWNER_CERT_FILE" \
+  -p "$OWNER_CERT_PWD" \
+  --agent "$AGENT_URI" \
+  "${ADMIN_BASE_URL}acl/groups/writers/"
+
+# PATCH the root with an rdf:_N pointing at a block explicitly typed as sp:Construct
+# (neither ldh:Object nor ldh:XHTML). Expected: rejected by ldh:InvalidContentBlockType with 422.
+# Use rdf:_99 to avoid colliding with existing rdf:_1..rdf:_8 in the test dataset.
+
+update=$(cat <<EOF
+PREFIX  rdf:  <http://www.w3.org/1999/02/22-rdf-syntax-ns#>
+PREFIX  sp:   <http://spinrdf.org/sp#>
+PREFIX  dct:  <http://purl.org/dc/terms/>
+
+INSERT
+{
+  <${END_USER_BASE_URL}> rdf:_99 <${END_USER_BASE_URL}#bad-block> .
+  <${END_USER_BASE_URL}#bad-block> a sp:Construct ;
+    dct:title "Not a valid content block" ;
+    sp:text "CONSTRUCT WHERE {}"
+}
+WHERE
+{}
+EOF
+)
+
+curl -k -w "%{http_code}\n" -o /dev/null -s \
+  -E "$AGENT_CERT_FILE":"$AGENT_CERT_PWD" \
+  -X PATCH \
+  -H "Content-Type: application/sparql-update" \
+  "$END_USER_BASE_URL" \
+   --data-binary "$update" \
+| grep -q "$STATUS_UNPROCESSABLE_ENTITY"
diff --git a/http-tests/document-hierarchy/PATCH.sh b/http-tests/document-hierarchy/PATCH.sh
@@ -43,4 +43,4 @@ curl -k -f -s -G \
   -E "$AGENT_CERT_FILE":"$AGENT_CERT_PWD" \
   -H "Accept: application/n-triples" \
 "$END_USER_BASE_URL" \
-| grep "<${END_USER_BASE_URL}#whateverest>" > /dev/null
+| grep "<${END_USER_BASE_URL}#whateverest>" > /dev/null
diff --git a/http-tests/document-hierarchy/PUT-content-blocks.sh b/http-tests/document-hierarchy/PUT-content-blocks.sh
@@ -0,0 +1,50 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+initialize_dataset "$END_USER_BASE_URL" "$TMP_END_USER_DATASET" "$END_USER_ENDPOINT_URL"
+initialize_dataset "$ADMIN_BASE_URL" "$TMP_ADMIN_DATASET" "$ADMIN_ENDPOINT_URL"
+purge_cache "$END_USER_VARNISH_SERVICE"
+purge_cache "$ADMIN_VARNISH_SERVICE"
+purge_cache "$FRONTEND_VARNISH_SERVICE"
+
+# add agent to the writers group
+
+add-agent-to-group.sh \
+  -f "$OWNER_CERT_FILE" \
+  -p "$OWNER_CERT_PWD" \
+  --agent "$AGENT_URI" \
+  "${ADMIN_BASE_URL}acl/groups/writers/"
+
+# create an item with random slug
+
+slug=$(uuidgen | tr '[:upper:]' '[:lower:]')
+
+item=$(create-item.sh \
+  -f "$AGENT_CERT_FILE" \
+  -p "$AGENT_CERT_PWD" \
+  -b "$END_USER_BASE_URL" \
+  --title "Test item" \
+  --slug "$slug" \
+  --container "$END_USER_BASE_URL")
+
+# PUT a body where rdf:_1 points at an ldh:Object and rdf:_2 points at an ldh:XHTML.
+# Both are the only types ldh:InvalidContentBlockType accepts. Expected: 200 OK.
+
+curl -k -w "%{http_code}\n" -o /dev/null -f -s \
+  -E "$AGENT_CERT_FILE":"$AGENT_CERT_PWD" \
+  -X PUT \
+  -H "Accept: application/n-triples" \
+  -H "Content-Type: application/n-triples" \
+  --data-binary @- \
+  "$item" <<EOF \
+| grep -q "$STATUS_OK"
+<${item}> <http://www.w3.org/1999/02/22-rdf-syntax-ns#type> <https://www.w3.org/ns/ldt/document-hierarchy#Item> .
+<${item}> <http://purl.org/dc/terms/title> "Test item" .
+<${item}> <http://rdfs.org/sioc/ns#has_container> <${END_USER_BASE_URL}> .
+<${item}> <http://www.w3.org/1999/02/22-rdf-syntax-ns#_1> <${item}#obj> .
+<${item}> <http://www.w3.org/1999/02/22-rdf-syntax-ns#_2> <${item}#xhtml> .
+<${item}#obj> <http://www.w3.org/1999/02/22-rdf-syntax-ns#type> <https://w3id.org/atomgraph/linkeddatahub#Object> .
+<${item}#obj> <http://www.w3.org/1999/02/22-rdf-syntax-ns#value> <${END_USER_BASE_URL}> .
+<${item}#xhtml> <http://www.w3.org/1999/02/22-rdf-syntax-ns#type> <https://w3id.org/atomgraph/linkeddatahub#XHTML> .
+<${item}#xhtml> <http://www.w3.org/1999/02/22-rdf-syntax-ns#value> "<div xmlns=\"http://www.w3.org/1999/xhtml\"/>"^^<http://www.w3.org/1999/02/22-rdf-syntax-ns#XMLLiteral> .
+EOF
diff --git a/http-tests/document-hierarchy/PUT-invalid-content-block-422.sh b/http-tests/document-hierarchy/PUT-invalid-content-block-422.sh
@@ -0,0 +1,49 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+initialize_dataset "$END_USER_BASE_URL" "$TMP_END_USER_DATASET" "$END_USER_ENDPOINT_URL"
+initialize_dataset "$ADMIN_BASE_URL" "$TMP_ADMIN_DATASET" "$ADMIN_ENDPOINT_URL"
+purge_cache "$END_USER_VARNISH_SERVICE"
+purge_cache "$ADMIN_VARNISH_SERVICE"
+purge_cache "$FRONTEND_VARNISH_SERVICE"
+
+# add agent to the writers group
+
+add-agent-to-group.sh \
+  -f "$OWNER_CERT_FILE" \
+  -p "$OWNER_CERT_PWD" \
+  --agent "$AGENT_URI" \
+  "${ADMIN_BASE_URL}acl/groups/writers/"
+
+# create an item with random slug
+
+slug=$(uuidgen | tr '[:upper:]' '[:lower:]')
+
+item=$(create-item.sh \
+  -f "$AGENT_CERT_FILE" \
+  -p "$AGENT_CERT_PWD" \
+  -b "$END_USER_BASE_URL" \
+  --title "Test item" \
+  --slug "$slug" \
+  --container "$END_USER_BASE_URL")
+
+# PUT a body where rdf:_1 points at a block typed as something other than ldh:Object/ldh:XHTML
+# (here: sp:Construct, a SPARQL query — must be wrapped in ldh:Object to be a valid block).
+# Expected: rejected by ldh:InvalidContentBlockType with 422.
+
+curl -k -w "%{http_code}\n" -o /dev/null -s \
+  -E "$AGENT_CERT_FILE":"$AGENT_CERT_PWD" \
+  -X PUT \
+  -H "Accept: application/n-triples" \
+  -H "Content-Type: application/n-triples" \
+  --data-binary @- \
+  "$item" <<EOF \
+| grep -q "$STATUS_UNPROCESSABLE_ENTITY"
+<${item}> <http://www.w3.org/1999/02/22-rdf-syntax-ns#type> <https://www.w3.org/ns/ldt/document-hierarchy#Item> .
+<${item}> <http://purl.org/dc/terms/title> "Test item" .
+<${item}> <http://rdfs.org/sioc/ns#has_container> <${END_USER_BASE_URL}> .
+<${item}> <http://www.w3.org/1999/02/22-rdf-syntax-ns#_1> <${item}#bad-block> .
+<${item}#bad-block> <http://www.w3.org/1999/02/22-rdf-syntax-ns#type> <http://spinrdf.org/sp#Construct> .
+<${item}#bad-block> <http://purl.org/dc/terms/title> "Not a valid content block" .
+<${item}#bad-block> <http://spinrdf.org/sp#text> "CONSTRUCT WHERE {}" .
+EOF
diff --git a/src/main/resources/com/atomgraph/linkeddatahub/def.ttl b/src/main/resources/com/atomgraph/linkeddatahub/def.ttl
@@ -24,7 +24,7 @@
 :Root a owl:Class ;
     rdfs:subClassOf sioc:Space, sioc:Container ;
     spin:constructor ldh:TitleConstructor, ldh:DescriptionConstructor, ldh:PrimaryTopicConstructor, ldh:BlockConstructor ;
-    spin:constraint :MissingTitle ; # roots do not have parents, therefore no ldh:MissingParent
+    spin:constraint :MissingTitle, ldh:InvalidContentBlockType ; # roots do not have parents, therefore no ldh:MissingParent
     rdfs:label "Root" ;
     rdfs:isDefinedBy : .
 
@@ -36,9 +36,9 @@
 
 ### EXTERNAL ASSERTIONS
 
-dh:Container spin:constraint :MissingTitle .
+dh:Container spin:constraint :MissingTitle, ldh:InvalidContentBlockType .
 
-dh:Item  spin:constraint :MissingTitle .
+dh:Item  spin:constraint :MissingTitle, ldh:InvalidContentBlockType .
 
 # http://spinrdf.org/sp
 
diff --git a/src/main/resources/com/atomgraph/linkeddatahub/ldh.ttl b/src/main/resources/com/atomgraph/linkeddatahub/ldh.ttl
@@ -364,8 +364,8 @@ WHERE {
 :ConstructPropertyCardinality a sp:Construct ;
       sp:text """PREFIX  spin: <http://spinrdf.org/spin#>
 
-CONSTRUCT 
-  { 
+CONSTRUCT
+  {
     _:c0 a spin:ConstraintViolation .
     _:c0 spin:violationRoot ?this .
     _:c0 spin:violationPath ?arg1 .
@@ -380,6 +380,29 @@ WHERE
     rdfs:label "Construct property cardinality" ;
     rdfs:isDefinedBy : .
 
+# match rdf:_N by URI shape (RDFS inference is not enabled in the validation pipeline,
+# so ?p a rdfs:ContainerMembershipProperty would never match)
+:InvalidContentBlockType a sp:Construct ;
+    sp:text """PREFIX rdf:  <http://www.w3.org/1999/02/22-rdf-syntax-ns#>
+PREFIX spin: <http://spinrdf.org/spin#>
+PREFIX ldh:  <https://w3id.org/atomgraph/linkeddatahub#>
+
+CONSTRUCT {
+    _:cv a spin:ConstraintViolation .
+    _:cv spin:violationRoot ?this .
+    _:cv spin:violationPath ?p .
+    _:cv spin:violationValue ?block .
+}
+WHERE {
+    ?this ?p ?block .
+    FILTER (REGEX(STR(?p), \"^http://www\\\\.w3\\\\.org/1999/02/22-rdf-syntax-ns#_[0-9]+$\"))
+    ?block a [] . # only fire when the block is typed in this model; PATCH validation only sees triples of changed resources
+    FILTER NOT EXISTS { ?block a ldh:Object }
+    FILTER NOT EXISTS { ?block a ldh:XHTML }
+}""" ;
+    rdfs:label "Invalid content block type" ;
+    rdfs:isDefinedBy : .
+
 # SPIN TEMPLATES
 
 :MissingPropertyValue a spin:Template ;
