refactor: use scopes to limit access to annotation review data#83
Merged
mirdono merged 3 commits intoApr 10, 2026
Conversation
Replace the public read+write permission to the human-validation graph by a scoped permission for the `annotation-review-service`. This way only this service can write `ext:ReviewAnnotation` resources to that graph. Furthermore, additional scoped permissions are added such that the service can read data from the appropriate graphs.
During development it can be useful to easily switch between the Lisp and ODRL config. The added commented lines allow to do this by simply uncommenting them if you want the Lisp config.
Replace the public read+write grant to the human-validation graph by a scoped grant for the `annotation-review-service`. This way only this service can write `ext:ReviewAnnotation` resources to that graph. Furthermore, additional scoped grant are added such that the service can read data from the appropriate graphs.
Rahien
approved these changes
Apr 10, 2026
Contributor
Rahien
left a comment
Rahien
left a comment
There was a problem hiding this comment.
works as advertised! pretty cool to see a mu-auth config in ttl!!
4 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Initially sparql-parser's ODRL configuration lacked support for scopes. Consequently, in #74 we had to provide public read and write access to the
human-validationgraph1.We have introduced support for scopes in sparql-parser's ODRL feature build. This allows us to update the ODRL (and Lisp) configuration with scopes as to limit write access to the
human-validationgraph to only theannotation-review-service.How to test
docker compose pull databasedocker compose pull annotation-reviewdatabaseandannotation-reviewservices:docker compose up -d database annotation-review.frontend-decide-human-validatorfor the following steps. So eithera. Add the following entry to your
docker-compose.override.yml. Afterwards, pull and re-up this frontend service.If you opted for option 4.b for the frontend, browse to http://localhost:4200/expressions and http://localhost:4200/validate-expression-labels in steps 5 and 8 respectively.
Notes
Support for scopes was added directly to sparql-parser's ODRL feature branch, see #12. The relevant diff for that branch can be found here.
Related tickets
Footnotes
Using sudo queries would have been another option. But with the introduction of scopes in sparql-parser this option is somewhat deprecated. ↩