pub fn is_path_allowed(path: &str) -> Result<(), DotfilePathError>Expand description
Decide whether path may be served, purely by inspecting its
segments. Returns Ok(()) when every segment is admissible.
A segment is admissible when any of the following hold:
- it does not start with
. - it is one of the statically-allowed dotfiles (
.acl,.meta,.well-known,.quota.json)
Resource-specific ACL/metadata sidecars like foo.acl / foo.meta
are admissible because their segment does not start with .; the
trailing-suffix form is therefore handled implicitly by the
first rule above.
Explicitly blocked:
.env,.git,.ssh, any other leading-dot name..(parent-dir traversal) anywhere in the path
The check is applied to every segment: a blocked segment anywhere in
the path fails the whole path (e.g. /pod/.git/HEAD is blocked).
Empty segments and . (current-dir) are ignored — they carry no
authorisation information. Leading / is honoured as the root.
Upstream parity: JavaScriptSolidServer/src/server.js:265-281 +
Solid §Identity Provider service container rules.