Skip to main content


This package allows you to handle rights through the WebACL standard.


  • View and modify rights of any resources
  • Automatically add rights when LDP resources, LDP containers or ActivityPub collections are created
  • Create ACL groups, manage members of these groups





$ npm install @semapps/webacl --save


const { WebAclService } = require('@semapps/webacl');
module.exports = {
mixins: [WebAclService],
settings: {
baseUrl: 'http://localhost:3000/'

This service must be used with an instance of Fuseki which can handle WebAcl. We recommend to use the image semapps/jena-fuseki-webacl (see page on Docker Hub)

You will also need to add the WebAcl middleware to the broker settings.

// moleculer.config.js
const { WebAclMiddleware } = require('@semapps/webacl');
module.exports = {
middlewares: [

The WebAclMiddleware:

  • Protects the actions of the LDP service
  • Automatically updates ACL when LDP resources, LDP containers or ActivityPub collections are added or removed.


If you wish to properly cache the WebAcl and improve performances, we recommend that you add a Cacher middleware before the WebACL middleware.

// moleculer.config.js
const { WebAclMiddleware, CacherMiddleware } = require('@semapps/webacl');
module.exports = {
middlewares: [

See the Moleculer caching documentation to know what options can be passed.


baseUrlStringrequiredBase URL of the LDP server

Default permissions for new resources#

By default, new resources are created with these rights:

  • If the resource is created by an anonymous user:
    • acl:Read and acl:Write permissions are granted to all users
  • If the resource is created by an authenticated user:
    • acl:Read permission is granted to anonymous users
    • acl:Write and acl:Control permissions are granted to the creator
  • If the resource is created by the system (direct calls from other services):
    • acl:Read permission is granted to anonymous users
    • acl:Write permission is granted to authenticated users

If you wish to change these options, you can set the newResourcesPermissions parameter in LdpService's defaultContainerOptions, or to a particular container.

This newResourcesPermissions parameter can be:

  • An object in the form expected by the additionalRights parameters of the webacl.resource.addRights action (with keys "anon", "anyUser", "user", "group")
  • A function which receives the WebID of the creator (or "anon" if the user is not authenticated, or "system") and returns an object in the same shape

General notes#

  • The SemApps middleware will always connect to the SPARQL endpoint with a Basic Authorization header containing the admin user and its password.
  • If the middleware is doing a query on behalf of a SemApps user, it will send the WebID URI of this user in the HTTP header X-SemappsUser.
  • If no user is logged-in and the middleware is making a request as a public (anonymous) user, then the X-SemappsUser header will be sent with the value anon.
  • If to the contrary, the middleware is modifying the ACLs, it will send no header, or a header with the X-SemappsUser set to system.