refactor(authz): add scoped grants for annotation-review-service

mirdono · mirdono · commit af5c2e9df2b9 · 2026-04-10T14:29:11.000+02:00
Replace the public read+write grant to the human-validation graph by a scoped
grant for the `annotation-review-service`. This way only this service can write
`ext:ReviewAnnotation` resources to that graph.

Furthermore, additional scoped grant are added such that the service can
read data from the appropriate graphs.
diff --git a/config/authorization/decide.lisp b/config/authorization/decide.lisp
@@ -185,40 +185,35 @@
        :to harvesting
        :for "logged-in")
 
-;; our ODRL implementation currently cannot handle scopes, but it would be more secure to do so
-; (with-scope "http://services.semantic.works/annotation-review-service"
-;   (grant (read write)
-;     :to human-validation
-;     :for "public"
-;   ))       
-
-; (with-scope "http://services.semantic.works/annotation-review-service"
-;   (grant (read)
-;     :to public
-;     :for "public"
-;   ))       
-
-; (with-scope "http://services.semantic.works/annotation-review-service"
-;   (grant (read)
-;     :to harvested-gent
-;     :for "public"
-;   ))       
-
-; (with-scope "http://services.semantic.works/annotation-review-service"
-;   (grant (read)
-;     :to harvested-freiburg
-;     :for "public"
-;   ))       
-
-; (with-scope "http://services.semantic.works/annotation-review-service"
-;   (grant (read)
-;     :to harvested-pdf
-;     :for "public"
-;   ))       
-;; instead we need to give public write access to user reviews
-(grant (read write)
-       :to-graph human-validation
-       :for-allowed-group "public")
+(with-scope "http://services.semantic.works/annotation-review-service"
+  (grant (read write)
+    :to-graph human-validation
+    :for-allowed-group "public"))
+
+(with-scope "http://services.semantic.works/annotation-review-service"
+  (grant (read)
+    :to-graph public
+    :for-allowed-group "public"))
+
+(with-scope "http://services.semantic.works/annotation-review-service"
+  (grant (read)
+    :to-graph harvested-gent
+    :for-allowed-group "public"))
+
+(with-scope "http://services.semantic.works/annotation-review-service"
+  (grant (read)
+    :to-graph harvested-freiburg
+    :for-allowed-group "public"))
+
+(with-scope "http://services.semantic.works/annotation-review-service"
+  (grant (read)
+    :to-graph harvested-pdf
+    :for-allowed-group "public"))
+
+(with-scope "http://services.semantic.works/annotation-review-service"
+  (grant (read)
+    :to-graph ai
+    :for-allowed-group "public"))
 
 (supply-allowed-group "logged-in"
                       :query "PREFIX session: <http://mu.semte.ch/vocabularies/session/>
