From 5bbc567dddadfcd5b7a275c0496f9da59c7516e9 Mon Sep 17 00:00:00 2001
From: Zach Ferland <zachferland@gmail.com>
Date: Tue, 7 May 2019 13:34:19 -0400
Subject: [PATCH 01/10] feat: upgrade orbitdb and ipfs

---
 package.json             | 12 +++++++++---
 src/3box.js              | 16 ++++++++-------
 src/3id/index.js         |  2 +-
 src/3id/keyring.js       | 13 ++++++++++++-
 src/3id/orbitProvider.js | 42 ++++++++++++++++++++++++++++++++++++++++
 src/keyValueStore.js     | 14 +++++++++-----
 src/thread.js            | 10 ++++++----
 7 files changed, 88 insertions(+), 21 deletions(-)
 create mode 100644 src/3id/orbitProvider.js

diff --git a/package.json b/package.json
index 8341b22f..f700c42e 100644
--- a/package.json
+++ b/package.json
@@ -43,19 +43,25 @@
   },
   "homepage": "https://github.com/3box/3box-js#readme",
   "dependencies": {
-    "@babel/runtime": "^7.1.2",
+    "@babel/runtime": "^7.4.4",
     "did-jwt": "^0.1.1",
+    "elliptic": "^6.4.1",
     "ethers": "^4.0.20",
     "graphql-request": "^1.8.2",
     "https-did-resolver": "^0.1.0",
-    "ipfs": "^0.33.1",
+    "idb-readable-stream": "0.0.4",
+    "ipfs": "^0.34.4",
     "ipfs-mini": "^1.1.5",
     "ipfs-postmsg-proxy": "^3.1.1",
     "js-sha256": "^0.9.0",
     "muport-did-resolver": "^0.3.0-alpha.2",
     "node-fetch": "^2.3.0",
-    "orbit-db": "git://github.com/orbitdb/orbit-db.git#dddb271",
+    "orbit-db": "git://github.com/3box/orbit-db.git#feat/legacy-create",
+    "orbit-db-access-controllers": "git://github.com/3box/orbit-db-access-controllers.git#feat/legacy-ac-support",
     "orbit-db-cache-postmsg-proxy": "^0.1.1",
+    "orbit-db-identity-provider": "^0.1.0",
+    "orbit-db-io": "git://github.com/3box/orbit-db-io.git#feat/backwards-compatibility",
+    "orbit-db-pubsub": "^0.5.5",
     "store": "^2.0.12",
     "tweetnacl": "^1.0.1",
     "tweetnacl-util": "^0.15.0"
diff --git a/src/3box.js b/src/3box.js
index c33e4e68..4c2440bd 100644
--- a/src/3box.js
+++ b/src/3box.js
@@ -78,18 +78,20 @@ class Box {
     this.pinningNode = opts.pinningNode || PINNING_NODE
     this._ipfs.swarm.connect(this.pinningNode, () => {})
 
+    const keyring = this._3id.getKeyringBySpaceName(rootStoreName)
+    const identity = await keyring.getIdentity()
+    const key = keyring.getDBKey()
     // const cache = (opts.iframeStore && !!cacheProxy) ? cacheProxy : null
-    this._orbitdb = new OrbitDB(this._ipfs, opts.orbitPath) // , { cache })
+    this._orbitdb = new OrbitDB(this._ipfs, identity, opts.orbitPath) // , { cache })
     globalOrbitDB = this._orbitdb
-
-    const dbKey = this._3id.getKeyringBySpaceName(rootStoreName).getDBKey()
-    const key = await this._orbitdb.keystore.importPrivateKey(dbKey)
     this._rootStore = await this._orbitdb.feed(rootStoreName, {
-      key,
-      write: [key.getPublic('hex')]
+      identity,
+      accessController: {
+        write: [key.getPublic('hex')],
+        legacy: true
+      }
     })
     const rootStoreAddress = this._rootStore.address.toString()
-
     this._pubsub = new Pubsub(this._ipfs, (await this._ipfs.id()).id)
 
     const onNewPeer = async (topic, peer) => {
diff --git a/src/3id/index.js b/src/3id/index.js
index 90b3b39f..19f3ab1d 100644
--- a/src/3id/index.js
+++ b/src/3id/index.js
@@ -57,7 +57,7 @@ class ThreeId {
   async _initMuport (muportIpfs) {
     let keys = this._mainKeyring.getPublicKeys()
     const doc = createMuportDocument(keys.signingKey, this.managementAddress, keys.asymEncryptionKey)
-    let docHash = (await this._ipfs.files.add(Buffer.from(JSON.stringify(doc))))[0].hash
+    let docHash = (await this._ipfs.add(Buffer.from(JSON.stringify(doc))))[0].hash
     this._muportDID = 'did:muport:' + docHash
     this.muportFingerprint = utils.sha256Multihash(this._muportDID)
     const publishToInfura = async () => {
diff --git a/src/3id/keyring.js b/src/3id/keyring.js
index 066c331c..f1cee8e7 100644
--- a/src/3id/keyring.js
+++ b/src/3id/keyring.js
@@ -3,6 +3,12 @@ const nacl = require('tweetnacl')
 nacl.util = require('tweetnacl-util')
 const SimpleSigner = require('did-jwt').SimpleSigner
 const { sha256 } = require('../utils/index')
+const EC = require('elliptic').ec
+const ec = new EC('secp256k1')
+const IdentityProvider = require('./orbitProvider')
+const Identities = require('orbit-db-identity-provider')
+
+Identities.addIdentityProvider(IdentityProvider)
 
 const BASE_PATH = "m/7696500'/0'/0'"
 const MM_PATH = "m/44'/60'/0'/0"
@@ -58,7 +64,12 @@ class Keyring {
   }
 
   getDBKey () {
-    return this.signingKey.privateKey.slice(2)
+    return ec.keyFromPrivate(this.signingKey.privateKey.slice(2))
+  }
+
+  async getIdentity () {
+    const key = this.getDBKey()
+    return await Identities.createIdentity({ type: `3ID`, pubKey: key.getPublic('hex')})
   }
 
   getDBSalt () {
diff --git a/src/3id/orbitProvider.js b/src/3id/orbitProvider.js
new file mode 100644
index 00000000..e9d681d9
--- /dev/null
+++ b/src/3id/orbitProvider.js
@@ -0,0 +1,42 @@
+// const Identities = require('orbit-db-identity-provider')
+const IdentityProvider = require('orbit-db-identity-provider/src/identity-provider-interface.js')
+
+
+class OrbitIdentityProvider {
+  constructor (options={}) {
+    // super(options)
+    console.log('create new identity')
+    console.log(options)
+    this.pubKey = options.pubKey
+    console.log('pubkey')
+    console.log(this.pubKey)
+  }
+
+  static get type () { return '3ID' } // return type
+  // return identifier of external id (eg. a public key)
+  async getId () {
+    return this.pubKey
+  }
+  //return a signature of data (signature of the OrbtiDB public key)
+  async signIdentity (data) {
+    return 'signedstring'
+  }
+
+   //return true if identity.sigantures are valid
+  static async verifyIdentity (identity) {
+    console.log(identity)
+    return true
+   }
+}
+
+
+module.exports =  OrbitIdentityProvider
+
+// Identities.addIdentityProvider(MyIdentityProvider)
+
+// to create an identity of type `MyIdentityType`
+// const identity = await Identities.createIdentity({ type: `MyIdentityType`})
+
+// module.exports = (pubKey) => {
+//   return new OrbitProvider(pubkey )
+// }
diff --git a/src/keyValueStore.js b/src/keyValueStore.js
index 888dd7d0..e4371348 100644
--- a/src/keyValueStore.js
+++ b/src/keyValueStore.js
@@ -141,11 +141,15 @@ class KeyValueStore {
   }
 
   async _load (odbAddress) {
-    const dbKey = this._3id.getKeyringBySpaceName(this._name).getDBKey()
-    const key = await this._orbitdb.keystore.importPrivateKey(dbKey)
+    const keyring = this._3id.getKeyringBySpaceName(this._name)
+    const identity = await keyring.getIdentity()
+    const key = keyring.getDBKey()
     this._db = await this._orbitdb.keyvalue(odbAddress || this._name, {
-      key,
-      write: [key.getPublic('hex')]
+      identity,
+      accessController: {
+        write: [key.getPublic('hex')],
+        legacy: true
+      }
     })
     await this._db.load()
     return this._db.address.toString()
@@ -162,7 +166,7 @@ class KeyValueStore {
 
   async all () {
     this._requireLoad()
-    const entries = await this._db.all()
+    const entries = await this._db.all
     let allSimple = {}
     Object.keys(entries).map(key => { allSimple[key] = entries[key].value })
     return allSimple
diff --git a/src/thread.js b/src/thread.js
index 682b3585..0dea2221 100644
--- a/src/thread.js
+++ b/src/thread.js
@@ -83,11 +83,13 @@ class Thread {
 
   async _load (odbAddress) {
     // TODO - threads should use the space keyring once pairwise DIDs are implemented
-    const dbKey = this._3id._mainKeyring.getDBKey()
-    const key = await this._orbitdb.keystore.importPrivateKey(dbKey)
+    const identity = await this._3id._mainKeyring.getIdentity()
     this._db = await this._orbitdb.log(odbAddress || this._name, {
-      key,
-      write: ['*']
+      identity,
+      accessController: {
+        write: ['*'],
+        legacy: true
+      }
     })
     await this._db.load()
     this._address = this._db.address.toString()

From 01a19fcad6563f6bd892db6ddb048f1e3b5fb3f9 Mon Sep 17 00:00:00 2001
From: Zach Ferland <zachferland@gmail.com>
Date: Thu, 16 May 2019 10:26:43 -0400
Subject: [PATCH 02/10] feat: poc thread access controllers

---
 example/index.html                   |   4 +
 example/index.js                     |  23 ++++-
 src/3box.js                          |  12 ++-
 src/access/moderator-access.js       |  40 +++++++++
 src/access/thread-open-mod-access.js | 126 +++++++++++++++++++++++++++
 src/thread.js                        |  40 +++++++--
 6 files changed, 237 insertions(+), 8 deletions(-)
 create mode 100644 src/access/moderator-access.js
 create mode 100644 src/access/thread-open-mod-access.js

diff --git a/example/index.html b/example/index.html
index 38f0bf21..e5fb4a95 100644
--- a/example/index.html
+++ b/example/index.html
@@ -81,6 +81,10 @@ <h5 style="padding: 20px 0px 10px 0px" id="spacePriv"> </h5>
           <h3> Threads: </h3>
           <input type="text" id="threadName" placeholder="Join thread by name">
           <button id="joinThread" type="button" class="btn btn btn-primary" >Join thread</button>
+
+          <input type="text" id="threadMod" placeholder="Add a thread Mod">
+          <button id="addThreadMod" type="button" class="btn btn btn-primary" >Add thread Mod</button>
+
           <div id="posts" style="display: none;">
             <h4> Posts: </h4>
             <p>
diff --git a/example/index.js b/example/index.js
index 43ae1216..00660456 100644
--- a/example/index.js
+++ b/example/index.js
@@ -103,11 +103,32 @@ bopen.addEventListener('click', event => {
         })
       })
 
+      addThreadMod.addEventListener('click', () => {
+        const name = threadMod.value
+        posts.style.display = 'block'
+        window.currentThread.addMod(name).then(res => {
+          console.log(res)
+        })
+      })
+
       const updateThreadData = () => {
         threadData.innerHTML = ''
+        window.deletePost = (el) => {
+          console.log('delete ' + el.id)
+          window.currentThread.deletePost(el.id)
+        }
         window.currentThread.getPosts().then(posts => {
           posts.map(post => {
-            threadData.innerHTML += post.author + ': <br />' + post.message + '<br /><br />'
+            threadData.innerHTML += post.author + ': <br />' + post.message  + '<br /><br />'
+            threadData.innerHTML += `<button id="` + post.postId + `"onClick="window.deletePost(` + post.postId + `)" type="button" class="btn btn btn-primary" >Delete</button>` + '<br /><br />'
+            // post.postId.addEventListener('click', () => {
+              // console.log('delete me')
+              // const name = threadMod.value
+              // posts.style.display = 'block'
+              // window.currentThread.addMod(name).then(res => {
+              //   console.log(res)
+              // })
+            // })
           })
         })
       }
diff --git a/src/3box.js b/src/3box.js
index 4c2440bd..263d2439 100644
--- a/src/3box.js
+++ b/src/3box.js
@@ -15,6 +15,13 @@ const idUtils = require('./utils/id')
 const config = require('./config.js')
 const API = require('./api')
 
+let AccessControllers = require('orbit-db-access-controllers')
+const ThreadAccessController = require('./access/thread-open-mod-access')
+const ModeratorAccessController = require('./access/moderator-access')
+AccessControllers.addAccessController({ AccessController: ThreadAccessController })
+AccessControllers.addAccessController({ AccessController: ModeratorAccessController })
+
+
 const ADDRESS_SERVER_URL = config.address_server_url
 const PINNING_NODE = config.pinning_node
 const PINNING_ROOM = config.pinning_room
@@ -82,7 +89,10 @@ class Box {
     const identity = await keyring.getIdentity()
     const key = keyring.getDBKey()
     // const cache = (opts.iframeStore && !!cacheProxy) ? cacheProxy : null
-    this._orbitdb = new OrbitDB(this._ipfs, identity, opts.orbitPath) // , { cache })
+    // this._orbitdb = new OrbitDB(this._ipfs, identity, opts.orbitPath) // , { cache })
+    this._orbitdb = new OrbitDB(this._ipfs, identity, {
+      AccessControllers: AccessControllers
+    })
     globalOrbitDB = this._orbitdb
     this._rootStore = await this._orbitdb.feed(rootStoreName, {
       identity,
diff --git a/src/access/moderator-access.js b/src/access/moderator-access.js
new file mode 100644
index 00000000..1c33e7b4
--- /dev/null
+++ b/src/access/moderator-access.js
@@ -0,0 +1,40 @@
+// 'use strict'
+const { io } = require('orbit-db-access-controllers/src/utils')
+const AccessController = require('orbit-db-access-controllers/src/access-controller-interface')
+const type = 'moderator-access'
+
+class ModeratorAccessController {
+  constructor (ipfs, options) {
+    this._write = []
+  }
+
+  static get type () { return type }
+
+  async canAppend (entry, identityProvider) {
+    const mod = entry.identity.id
+    const modAddId = entry.payload.value
+
+    // Can write to moderator list store if in prior entry id was given permission (added to list)
+    if (this._write.length === 0 || this._write.includes(mod) ) {
+      this._write.push(modAddId)
+      return true
+    }
+
+    return false
+  }
+
+  async load (address) {
+    
+  }
+
+
+  async save () {
+    return { address: 'moderator-access' }
+  }
+
+  static async create (orbitdb, options = {}) {
+    return new ModeratorAccessController()
+  }
+}
+
+module.exports = ModeratorAccessController
diff --git a/src/access/thread-open-mod-access.js b/src/access/thread-open-mod-access.js
new file mode 100644
index 00000000..bc0f6716
--- /dev/null
+++ b/src/access/thread-open-mod-access.js
@@ -0,0 +1,126 @@
+'use strict'
+
+const pMapSeries = require('p-map-series')
+const AccessController = require('orbit-db-access-controllers/src/access-controller-interface')
+const ensureAddress = require('orbit-db-access-controllers/src/utils/ensure-ac-address')
+const entryIPFS = require('ipfs-log/src/entry')
+
+const type = 'thread-access'
+
+class ThreadAccessController {
+  constructor (orbitdb, ipfs, options) {
+    // super()
+    this._orbitdb = orbitdb
+    this._db = null
+    this._options = options || {}
+    this._ipfs = ipfs
+  }
+
+  // Returns the type of the access controller
+  static get type () { return type }
+
+  // Returns the address of the OrbitDB used as the AC
+  get address () {
+    return this._db.address
+  }
+
+  async canAppend (entry, identityProvider) {
+    const op = entry.payload.op
+    const mods = this.capabilities['mod']
+
+    // Anyone can add a message
+    if (op === 'ADD') {
+      return true
+    }
+
+    if (op === 'DEL') {
+      const hash = entry.payload.value
+      const delEntry = await entryIPFS.fromMultihash(this._ipfs, hash)
+
+      // An id can delete their own entries
+      if (delEntry.identity.id === entry.identity.id) {
+        return true
+      }
+
+      // Mods can't delete other mods entries
+      if (mods.includes(delEntry.identity.id)) {
+        return false
+      }
+
+      // Mods can delete any other entries
+      if (mods.includes(entry.identity.id)) {
+        return true
+      }
+    }
+
+
+    return false
+  }
+
+  get capabilities () {
+    if (this._db) {
+      let capabilities = {}
+      const mods = Object.entries(this._db.index).map(entry => entry[1].payload.value)
+      capabilities['mod'] = mods
+      return capabilities
+    }
+    return {}
+  }
+
+  get (capability) {
+    return this.capabilities[capability] || new Set([])
+  }
+
+  async close () {
+    await this._db.close()
+  }
+
+  async load (address) {
+    if (this._db) { await this._db.close() }
+    // Force '<address>/_access' naming for the database
+    this._db = await this._orbitdb.feed(ensureAddress(address), {
+      // Use moderator access controller
+      accessController: {
+        type: 'moderator-access',
+      },
+      sync: true
+    })
+
+    //TODO Move somehwere else. but try to add id opening, in case they are first to open this thread
+    await this._db.add(this._db.identity.id)
+
+    this._db.events.on('ready', this._onUpdate.bind(this))
+    this._db.events.on('write', this._onUpdate.bind(this))
+    this._db.events.on('replicated', this._onUpdate.bind(this))
+
+    await this._db.load()
+  }
+
+  async save () {
+    // return the manifest data
+    return {
+      address: this._db.address.toString()
+    }
+  }
+
+  async grant (capability, key) {
+    // may use capability after for member vs mod
+    await this._db.add(key)
+  }
+
+  /* Private methods */
+  _onUpdate () {
+    // this.emit('updated')
+    // TODO add back
+  }
+
+  /* Factory */
+  static async create (orbitdb, options = {}) {
+    const ac = new ThreadAccessController(orbitdb, orbitdb._ipfs, options)
+    // Thread address here
+    await ac.load(options.address || 'thread-access-controller')
+    return ac
+  }
+}
+
+module.exports = ThreadAccessController
diff --git a/src/thread.js b/src/thread.js
index 0dea2221..f7acd9ca 100644
--- a/src/thread.js
+++ b/src/thread.js
@@ -28,6 +28,28 @@ class Thread {
     })
   }
 
+  /**
+   * Post a message to the thread
+   *
+   * @param     {String}    id                      Moderator Id
+   * @return    {String}                            The postId of the new post
+   */
+  async addMod (id) {
+    this._requireLoad()
+    return this._db.access.grant('mod', id)
+  }
+
+  /**
+   * Delete post
+   *
+   * @param     {String}    id                      Moderator Id
+   * @return    {String}                            The postId of the new post
+   */
+  async deletePost (hash) {
+    this._requireLoad()
+    return this._db.remove(hash)
+  }
+
   /**
    * Returns an array of posts, based on the options.
    * If hash not found when passing gt, gte, lt, or lte,
@@ -75,20 +97,26 @@ class Thread {
       }
     })
     this._db.events.on('write', (dbname, entry) => {
-      let post = entry.payload.value
-      post.postId = entry.hash
-      newPostFn(post)
+      if (entry.payload.op === 'ADD') {
+        let post = entry.payload.value
+        post.postId = entry.hash
+        newPostFn(post)
+      }
     })
   }
 
   async _load (odbAddress) {
     // TODO - threads should use the space keyring once pairwise DIDs are implemented
     const identity = await this._3id._mainKeyring.getIdentity()
-    this._db = await this._orbitdb.log(odbAddress || this._name, {
+    this._db = await this._orbitdb.feed(odbAddress || this._name, {
       identity,
+      // accessController: {
+      //   write: ['*'],
+      //   legacy: true
+      // }
       accessController: {
-        write: ['*'],
-        legacy: true
+        type: 'thread-access',
+        address: odbAddress
       }
     })
     await this._db.load()

From c52406e9d2d6bbf8d4dd631e47f3757abe9a9411 Mon Sep 17 00:00:00 2001
From: Zach Ferland <zachferland@gmail.com>
Date: Thu, 16 May 2019 13:07:58 -0400
Subject: [PATCH 03/10] feat: poc member only thread

---
 src/access/moderator-access.js       | 11 ++++---
 src/access/thread-open-mod-access.js | 48 ++++++++++++++++------------
 2 files changed, 34 insertions(+), 25 deletions(-)

diff --git a/src/access/moderator-access.js b/src/access/moderator-access.js
index 1c33e7b4..f82caea9 100644
--- a/src/access/moderator-access.js
+++ b/src/access/moderator-access.js
@@ -5,18 +5,19 @@ const type = 'moderator-access'
 
 class ModeratorAccessController {
   constructor (ipfs, options) {
+    // Allowed to add other mods or members
     this._write = []
   }
 
   static get type () { return type }
 
   async canAppend (entry, identityProvider) {
-    const mod = entry.identity.id
-    const modAddId = entry.payload.value
+    const entryID = entry.identity.id
+    const isMod = this._write.includes(entryID)
 
-    // Can write to moderator list store if in prior entry id was given permission (added to list)
-    if (this._write.length === 0 || this._write.includes(mod) ) {
-      this._write.push(modAddId)
+    if (this._write.length === 0 || isMod ) {
+      const capability = entry.payload.value.capability
+      if (capability === 'mod') this._write.push(modAddId)
       return true
     }
 
diff --git a/src/access/thread-open-mod-access.js b/src/access/thread-open-mod-access.js
index bc0f6716..115ce236 100644
--- a/src/access/thread-open-mod-access.js
+++ b/src/access/thread-open-mod-access.js
@@ -7,6 +7,7 @@ const entryIPFS = require('ipfs-log/src/entry')
 
 const type = 'thread-access'
 
+// TODO need extend access controller interface?
 class ThreadAccessController {
   constructor (orbitdb, ipfs, options) {
     // super()
@@ -14,6 +15,7 @@ class ThreadAccessController {
     this._db = null
     this._options = options || {}
     this._ipfs = ipfs
+    this._members = options.members
   }
 
   // Returns the type of the access controller
@@ -27,10 +29,14 @@ class ThreadAccessController {
   async canAppend (entry, identityProvider) {
     const op = entry.payload.op
     const mods = this.capabilities['mod']
+    const member = this.capabilities['member']
 
-    // Anyone can add a message
     if (op === 'ADD') {
-      return true
+      // Anyone can add entry if open thread
+      if (!this._members) { return true }
+      // Not open thread, any member or mod can add to thread
+      if (members.includes(entry.identity.id) { return true }
+      if (mods.includes(entry.identity.id) { return true }
     }
 
     if (op === 'DEL') {
@@ -38,37 +44,36 @@ class ThreadAccessController {
       const delEntry = await entryIPFS.fromMultihash(this._ipfs, hash)
 
       // An id can delete their own entries
-      if (delEntry.identity.id === entry.identity.id) {
-        return true
-      }
+      if (delEntry.identity.id === entry.identity.id) { return true }
 
       // Mods can't delete other mods entries
-      if (mods.includes(delEntry.identity.id)) {
-        return false
-      }
+      if (mods.includes(delEntry.identity.id)) { return false }
 
       // Mods can delete any other entries
-      if (mods.includes(entry.identity.id)) {
-        return true
-      }
+      if (mods.includes(entry.identity.id)) { return true }
     }
 
-
     return false
   }
 
   get capabilities () {
+    // TODO dont do this for every entry, save result, update on db change
     if (this._db) {
-      let capabilities = {}
-      const mods = Object.entries(this._db.index).map(entry => entry[1].payload.value)
-      capabilities['mod'] = mods
-      return capabilities
+      let mod = []
+      let member = []
+      Object.entries(this._db.index).forEach(entry => {
+        const capability = entry[1].payload.value.capability
+        const id = entry[1].payload.value.id
+        if (capability === 'mod') mod.push(id)
+        if (capability === 'member') member.push(id)
+      })
+      return {mod, member}
     }
     return {}
   }
 
   get (capability) {
-    return this.capabilities[capability] || new Set([])
+    return this.capabilities[capability] || []
   }
 
   async close () {
@@ -78,6 +83,8 @@ class ThreadAccessController {
   async load (address) {
     if (this._db) { await this._db.close() }
     // Force '<address>/_access' naming for the database
+    // TODO should memeber and non member threads create different acess controllers
+    // or how to deal with threads with same name with member and non member (different names?)
     this._db = await this._orbitdb.feed(ensureAddress(address), {
       // Use moderator access controller
       accessController: {
@@ -103,9 +110,10 @@ class ThreadAccessController {
     }
   }
 
-  async grant (capability, key) {
-    // may use capability after for member vs mod
-    await this._db.add(key)
+  async grant (capability, id) {
+    // TODO limit capabilities
+    // TODO  sanitize key
+    await this._db.add({capability, id})
   }
 
   /* Private methods */

From cad928713d3f6ee81631da58d6fda69321d74d0a Mon Sep 17 00:00:00 2001
From: Zach Ferland <zachferland@gmail.com>
Date: Fri, 17 May 2019 08:47:40 -0400
Subject: [PATCH 04/10] feat: pass through member only opt, add new funcs to
 thread api

---
 example/index.js                     | 20 ++++------
 src/access/thread-open-mod-access.js |  7 ++--
 src/space.js                         |  3 +-
 src/thread.js                        | 58 +++++++++++++++++++++++-----
 4 files changed, 62 insertions(+), 26 deletions(-)

diff --git a/example/index.js b/example/index.js
index 00660456..f7b1af6b 100644
--- a/example/index.js
+++ b/example/index.js
@@ -97,7 +97,7 @@ bopen.addEventListener('click', event => {
         box.spaces[window.currentSpace].joinThread(name).then(thread => {
           window.currentThread = thread
           thread.onNewPost(post => {
-            threadData.innerHTML += post.author + ': <br />' + post.message + '<br /><br />'
+            updateThreadData()
           })
           updateThreadData()
         })
@@ -111,24 +111,18 @@ bopen.addEventListener('click', event => {
         })
       })
 
+      window.deletePost = (el) => {
+        window.currentThread.deletePost(el.id).then(res => {
+          updateThreadData()
+        })
+      }
+
       const updateThreadData = () => {
         threadData.innerHTML = ''
-        window.deletePost = (el) => {
-          console.log('delete ' + el.id)
-          window.currentThread.deletePost(el.id)
-        }
         window.currentThread.getPosts().then(posts => {
           posts.map(post => {
             threadData.innerHTML += post.author + ': <br />' + post.message  + '<br /><br />'
             threadData.innerHTML += `<button id="` + post.postId + `"onClick="window.deletePost(` + post.postId + `)" type="button" class="btn btn btn-primary" >Delete</button>` + '<br /><br />'
-            // post.postId.addEventListener('click', () => {
-              // console.log('delete me')
-              // const name = threadMod.value
-              // posts.style.display = 'block'
-              // window.currentThread.addMod(name).then(res => {
-              //   console.log(res)
-              // })
-            // })
           })
         })
       }
diff --git a/src/access/thread-open-mod-access.js b/src/access/thread-open-mod-access.js
index 115ce236..382d764a 100644
--- a/src/access/thread-open-mod-access.js
+++ b/src/access/thread-open-mod-access.js
@@ -35,8 +35,8 @@ class ThreadAccessController {
       // Anyone can add entry if open thread
       if (!this._members) { return true }
       // Not open thread, any member or mod can add to thread
-      if (members.includes(entry.identity.id) { return true }
-      if (mods.includes(entry.identity.id) { return true }
+      if (members.includes(entry.identity.id)) { return true }
+      if (mods.includes(entry.identity.id)) { return true }
     }
 
     if (op === 'DEL') {
@@ -84,7 +84,8 @@ class ThreadAccessController {
     if (this._db) { await this._db.close() }
     // Force '<address>/_access' naming for the database
     // TODO should memeber and non member threads create different acess controllers
-    // or how to deal with threads with same name with member and non member (different names?)
+    // or how to deal with threads with same name with member and non member (different names?
+    //  address of this access controler probably should just change, then different thread name
     this._db = await this._orbitdb.feed(ensureAddress(address), {
       // Use moderator access controller
       accessController: {
diff --git a/src/space.js b/src/space.js
index ba873117..241086bb 100644
--- a/src/space.js
+++ b/src/space.js
@@ -56,6 +56,7 @@ class Space {
    *
    * @param     {String}    name                    The name of the thread
    * @param     {Object}    opts                    Optional parameters
+   * @param     {Object}    opts.membersOnly        join a members only thread, which only members can post in
    * @param     {Boolean}   opts.noAutoSub          Disable auto subscription to the thread when posting to it (default false)
    *
    * @return    {Thread}                            An instance of the thread class for the joined thread
@@ -64,7 +65,7 @@ class Space {
     console.warn('WARNING: Threads are still experimental, we recommend not relying on this feature for produciton yet.')
     if (this._activeThreads[name]) return this._activeThreads[name]
     const subscribeFn = opts.noAutoSub ? () => {} : this.subscribeThread.bind(this, name)
-    const thread = new Thread(this._orbitdb, namesTothreadName(this._name, name), this._3id, subscribeFn, this._ensureConnected)
+    const thread = new Thread(this._orbitdb, namesTothreadName(this._name, name), this._3id, opts.membersOnly, subscribeFn, this._ensureConnected)
     await thread._load()
     this._activeThreads[name] = thread
     return thread
diff --git a/src/thread.js b/src/thread.js
index f7acd9ca..a3252084 100644
--- a/src/thread.js
+++ b/src/thread.js
@@ -2,13 +2,14 @@ class Thread {
   /**
    * Please use **space.joinThread** to get the instance of this class
    */
-  constructor (orbitdb, name, threeId, subscribe, ensureConnected) {
+  constructor (orbitdb, name, threeId, membersOnly, subscribe, ensureConnected) {
     this._orbitdb = orbitdb
     this._name = name
     this._3id = threeId
     this._subscribe = subscribe
     this._ensureConnected = ensureConnected
     this._queuedNewPosts = []
+    this._membersOnly = membersOnly
   }
 
   /**
@@ -29,21 +30,63 @@ class Thread {
   }
 
   /**
-   * Post a message to the thread
+   * Add a moderator to this thread
    *
    * @param     {String}    id                      Moderator Id
-   * @return    {String}                            The postId of the new post
    */
   async addMod (id) {
     this._requireLoad()
     return this._db.access.grant('mod', id)
   }
 
+  /**
+   * List moderators
+   *
+   * @return    {Array<String>}      Array of moderator DIDs
+   */
+  async listMods () {
+    this._requireLoad()
+    return this._db.access.capabilities['mod']
+  }
+
+
+  /**
+   * List moderators
+   *
+   * @return    {Array<String>}      Array of moderator DIDs
+   */
+  async listMods () {
+    this._requireLoad()
+    return this._db.access.capabilities['mod']
+  }
+
+  /**
+   * Add a member to this thread
+   *
+   * @param     {String}    id                      Member Id
+   */
+  async addMember (id) {
+    // TOOD throw is not a member only thread
+    this._requireLoad()
+    return this._db.access.grant('member', id)
+  }
+
+  /**
+   * List members
+   *
+   * @return    {Array<String>}      Array of member DIDs
+   */
+  async listMembers () {
+    // TODO maybe throw is not a member only thread, or * to indicate all (like orbit)
+    this._requireLoad()
+    return this._db.access.capabilities['member']
+  }
+
+
   /**
    * Delete post
    *
    * @param     {String}    id                      Moderator Id
-   * @return    {String}                            The postId of the new post
    */
   async deletePost (hash) {
     this._requireLoad()
@@ -110,13 +153,10 @@ class Thread {
     const identity = await this._3id._mainKeyring.getIdentity()
     this._db = await this._orbitdb.feed(odbAddress || this._name, {
       identity,
-      // accessController: {
-      //   write: ['*'],
-      //   legacy: true
-      // }
       accessController: {
         type: 'thread-access',
-        address: odbAddress
+        address: odbAddress,
+        members: this.membersOnly
       }
     })
     await this._db.load()

From 7636c242f7856326b922b51fc0df6901fe8f4727 Mon Sep 17 00:00:00 2001
From: Zach Ferland <zachferland@gmail.com>
Date: Mon, 20 May 2019 08:21:34 -0400
Subject: [PATCH 05/10] fix: unique ac dbs/names

---
 src/access/moderator-access.js       |  6 ++++--
 src/access/thread-open-mod-access.js | 15 +++++++++------
 src/thread.js                        | 12 +-----------
 3 files changed, 14 insertions(+), 19 deletions(-)

diff --git a/src/access/moderator-access.js b/src/access/moderator-access.js
index f82caea9..bcbe54f4 100644
--- a/src/access/moderator-access.js
+++ b/src/access/moderator-access.js
@@ -7,6 +7,7 @@ class ModeratorAccessController {
   constructor (ipfs, options) {
     // Allowed to add other mods or members
     this._write = []
+    this._rootMod =  options.rootMod || "*"
   }
 
   static get type () { return type }
@@ -25,16 +26,17 @@ class ModeratorAccessController {
   }
 
   async load (address) {
-    
+
   }
 
 
   async save () {
+    // self reference store it is used on, doesn't need to be unique
     return { address: 'moderator-access' }
   }
 
   static async create (orbitdb, options = {}) {
-    return new ModeratorAccessController()
+    return new ModeratorAccessController(options)
   }
 }
 
diff --git a/src/access/thread-open-mod-access.js b/src/access/thread-open-mod-access.js
index 382d764a..088f40a9 100644
--- a/src/access/thread-open-mod-access.js
+++ b/src/access/thread-open-mod-access.js
@@ -16,6 +16,7 @@ class ThreadAccessController {
     this._options = options || {}
     this._ipfs = ipfs
     this._members = options.members
+    this._rootMod = options.rootMod
   }
 
   // Returns the type of the access controller
@@ -82,18 +83,20 @@ class ThreadAccessController {
 
   async load (address) {
     if (this._db) { await this._db.close() }
-    // Force '<address>/_access' naming for the database
-    // TODO should memeber and non member threads create different acess controllers
-    // or how to deal with threads with same name with member and non member (different names?
-    //  address of this access controler probably should just change, then different thread name
-    this._db = await this._orbitdb.feed(ensureAddress(address), {
-      // Use moderator access controller
+    // could also prefix with /access or type of access controller,
+    if (this._rootMod) address += '/mod_' + this._rootMod
+    if (this._members) address += '/members'
+
+    this._db = await this._orbitdb.feed(address, {
       accessController: {
         type: 'moderator-access',
+        rootMod: this._rootMod || '*'
       },
       sync: true
     })
 
+    console.log(this._db.address.toString())
+
     //TODO Move somehwere else. but try to add id opening, in case they are first to open this thread
     await this._db.add(this._db.identity.id)
 
diff --git a/src/thread.js b/src/thread.js
index a3252084..acc198fa 100644
--- a/src/thread.js
+++ b/src/thread.js
@@ -39,16 +39,6 @@ class Thread {
     return this._db.access.grant('mod', id)
   }
 
-  /**
-   * List moderators
-   *
-   * @return    {Array<String>}      Array of moderator DIDs
-   */
-  async listMods () {
-    this._requireLoad()
-    return this._db.access.capabilities['mod']
-  }
-
 
   /**
    * List moderators
@@ -155,7 +145,7 @@ class Thread {
       identity,
       accessController: {
         type: 'thread-access',
-        address: odbAddress,
+        address: this._name,
         members: this.membersOnly
       }
     })

From 058ed2ccdc21a034a3c1b0c9af2fc61ae45034c0 Mon Sep 17 00:00:00 2001
From: Zach Ferland <zachferland@gmail.com>
Date: Wed, 22 May 2019 09:06:16 -0400
Subject: [PATCH 06/10] feat: moderator access based on root mod

---
 src/access/moderator-access.js | 11 ++++-------
 1 file changed, 4 insertions(+), 7 deletions(-)

diff --git a/src/access/moderator-access.js b/src/access/moderator-access.js
index bcbe54f4..e96cfa5e 100644
--- a/src/access/moderator-access.js
+++ b/src/access/moderator-access.js
@@ -1,13 +1,13 @@
 // 'use strict'
-const { io } = require('orbit-db-access-controllers/src/utils')
 const AccessController = require('orbit-db-access-controllers/src/access-controller-interface')
 const type = 'moderator-access'
 
 class ModeratorAccessController {
-  constructor (ipfs, options) {
+  constructor (options) {
     // Allowed to add other mods or members
     this._write = []
     this._rootMod =  options.rootMod || "*"
+    this._write.push(this._rootMod)
   }
 
   static get type () { return type }
@@ -16,7 +16,7 @@ class ModeratorAccessController {
     const entryID = entry.identity.id
     const isMod = this._write.includes(entryID)
 
-    if (this._write.length === 0 || isMod ) {
+    if (this._write.includes('*') || isMod ) {
       const capability = entry.payload.value.capability
       if (capability === 'mod') this._write.push(modAddId)
       return true
@@ -25,10 +25,7 @@ class ModeratorAccessController {
     return false
   }
 
-  async load (address) {
-
-  }
-
+  async load (address) { }
 
   async save () {
     // self reference store it is used on, doesn't need to be unique

From 19ae46f2b5c56465c7d900fc177a7990e91ea53c Mon Sep 17 00:00:00 2001
From: Zach Ferland <zachferland@gmail.com>
Date: Wed, 22 May 2019 09:49:00 -0400
Subject: [PATCH 07/10] feat: address mod access by rootMod, so that stored and
 amanifest and ref can be loaded

---
 src/access/moderator-access.js | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/src/access/moderator-access.js b/src/access/moderator-access.js
index e96cfa5e..9cb085b0 100644
--- a/src/access/moderator-access.js
+++ b/src/access/moderator-access.js
@@ -1,6 +1,6 @@
 // 'use strict'
 const AccessController = require('orbit-db-access-controllers/src/access-controller-interface')
-const type = 'moderator-access'
+const type = '3box-moderator-access'
 
 class ModeratorAccessController {
   constructor (options) {
@@ -25,11 +25,14 @@ class ModeratorAccessController {
     return false
   }
 
-  async load (address) { }
+  async load (address) {
+    const roodMod = address.split('/').pop()
+    if (rootMod === this._rootMod) return
+    throw new Error('ModeratorAccessController: load error, rootMod does not match')
+  }
 
   async save () {
-    // self reference store it is used on, doesn't need to be unique
-    return { address: 'moderator-access' }
+    return { address: `${type}/${this._rootMod}` }
   }
 
   static async create (orbitdb, options = {}) {

From e7fca7b7ce8c134e99a46856c934593cf9ad4606 Mon Sep 17 00:00:00 2001
From: Zach Ferland <zachferland@gmail.com>
Date: Wed, 22 May 2019 14:30:09 -0400
Subject: [PATCH 08/10] feat: enforce cap types, enfoce members at mod access
 level, refactor/helpers for clarity

---
 src/access/moderator-access.js | 34 +++++++++++++++++++++++++++-------
 1 file changed, 27 insertions(+), 7 deletions(-)

diff --git a/src/access/moderator-access.js b/src/access/moderator-access.js
index 9cb085b0..53ab57e7 100644
--- a/src/access/moderator-access.js
+++ b/src/access/moderator-access.js
@@ -2,23 +2,41 @@
 const AccessController = require('orbit-db-access-controllers/src/access-controller-interface')
 const type = '3box-moderator-access'
 
+const moderator = 'moderator'
+const member = 'member'
+
 class ModeratorAccessController {
   constructor (options) {
-    // Allowed to add other mods or members
-    this._write = []
+    this._capabilityType = {}
+    this._capabilityType[moderator] = moderator
+    this._write = []     // Allowed to add other mods or members
     this._rootMod =  options.rootMod || "*"
     this._write.push(this._rootMod)
+    this._members = options.members
+    if (this._members) this._capabilityType[member] = member
   }
 
   static get type () { return type }
 
+  isMod(id) {
+    this._write.includes(id)
+  }
+
+  isValidCapability (capability) {
+    Object.entries(this._capabilityType).map(e => e[1]).includes(capability)
+  }
+
   async canAppend (entry, identityProvider) {
     const entryID = entry.identity.id
-    const isMod = this._write.includes(entryID)
+    const capability = entry.payload.value.capability
+    const isMod = this.isMod(entryID)
+    const noMods = this._write.includes('*')
+    const validCapability = isValidCapability(capability)
+
+    // TODO need to still validate sigs with identity provider, extend from other, or implement here
 
-    if (this._write.includes('*') || isMod ) {
-      const capability = entry.payload.value.capability
-      if (capability === 'mod') this._write.push(modAddId)
+    if ((noMods || isMod) && validCapability) {
+      if (capability === this._capabilityType.moderator) this._write.push(modAddId)
       return true
     }
 
@@ -32,7 +50,9 @@ class ModeratorAccessController {
   }
 
   async save () {
-    return { address: `${type}/${this._rootMod}` }
+    let address = `${type}/${this._rootMod}`
+    address += this._members ? '/members' : ''
+    return { address }
   }
 
   static async create (orbitdb, options = {}) {

From acc23374d4f4f32b7f93f5d6fd2ad27706f8c358 Mon Sep 17 00:00:00 2001
From: Zach Ferland <zachferland@gmail.com>
Date: Thu, 23 May 2019 09:28:08 -0400
Subject: [PATCH 09/10] feat: pass info, so that ac can be loaded from
 addresses, pass memeber opts to mod controller

---
 src/access/moderator-access.js       | 13 ++++++++-----
 src/access/thread-open-mod-access.js | 23 +++++++++++------------
 2 files changed, 19 insertions(+), 17 deletions(-)

diff --git a/src/access/moderator-access.js b/src/access/moderator-access.js
index 53ab57e7..55d75632 100644
--- a/src/access/moderator-access.js
+++ b/src/access/moderator-access.js
@@ -1,6 +1,6 @@
 // 'use strict'
 const AccessController = require('orbit-db-access-controllers/src/access-controller-interface')
-const type = '3box-moderator-access'
+const type = 'moderator-access'
 
 const moderator = 'moderator'
 const member = 'member'
@@ -44,13 +44,16 @@ class ModeratorAccessController {
   }
 
   async load (address) {
-    const roodMod = address.split('/').pop()
-    if (rootMod === this._rootMod) return
-    throw new Error('ModeratorAccessController: load error, rootMod does not match')
+    const addList = address.split('/')
+    const suffix = addList.pop()
+    this._members = suffix === 'members'
+    const mod = suffix.includes('mod') ? suffix : addList.pop()
+    this._rootMod = mod.split('_')[1]
   }
 
   async save () {
-    let address = `${type}/${this._rootMod}`
+    // TODO if entire obj saved in manfest, can just pass our own fields
+    let address = `${type}/mod_${this._rootMod}`
     address += this._members ? '/members' : ''
     return { address }
   }
diff --git a/src/access/thread-open-mod-access.js b/src/access/thread-open-mod-access.js
index 088f40a9..6f7681bc 100644
--- a/src/access/thread-open-mod-access.js
+++ b/src/access/thread-open-mod-access.js
@@ -1,6 +1,5 @@
 'use strict'
 
-const pMapSeries = require('p-map-series')
 const AccessController = require('orbit-db-access-controllers/src/access-controller-interface')
 const ensureAddress = require('orbit-db-access-controllers/src/utils/ensure-ac-address')
 const entryIPFS = require('ipfs-log/src/entry')
@@ -17,6 +16,7 @@ class ThreadAccessController {
     this._ipfs = ipfs
     this._members = options.members
     this._rootMod = options.rootMod
+    this._threadName = options.threadName
   }
 
   // Returns the type of the access controller
@@ -32,6 +32,8 @@ class ThreadAccessController {
     const mods = this.capabilities['mod']
     const member = this.capabilities['member']
 
+    // TODO still need to verify sig with identity provider
+
     if (op === 'ADD') {
       // Anyone can add entry if open thread
       if (!this._members) { return true }
@@ -83,27 +85,22 @@ class ThreadAccessController {
 
   async load (address) {
     if (this._db) { await this._db.close() }
-    // could also prefix with /access or type of access controller,
-    if (this._rootMod) address += '/mod_' + this._rootMod
-    if (this._members) address += '/members'
 
-    this._db = await this._orbitdb.feed(address, {
+    this._db = await this._orbitdb.feed(ensureAddress(address), {
       accessController: {
         type: 'moderator-access',
-        rootMod: this._rootMod || '*'
+        rootMod: this._rootMod || '*',
+        members: this._members
       },
       sync: true
     })
 
     console.log(this._db.address.toString())
 
-    //TODO Move somehwere else. but try to add id opening, in case they are first to open this thread
-    await this._db.add(this._db.identity.id)
-
     this._db.events.on('ready', this._onUpdate.bind(this))
     this._db.events.on('write', this._onUpdate.bind(this))
     this._db.events.on('replicated', this._onUpdate.bind(this))
-
+    // TODO Update as possible
     await this._db.load()
   }
 
@@ -115,8 +112,8 @@ class ThreadAccessController {
   }
 
   async grant (capability, id) {
-    // TODO limit capabilities
     // TODO  sanitize key
+    // handle error if can't grant?
     await this._db.add({capability, id})
   }
 
@@ -129,8 +126,10 @@ class ThreadAccessController {
   /* Factory */
   static async create (orbitdb, options = {}) {
     const ac = new ThreadAccessController(orbitdb, orbitdb._ipfs, options)
+    console.log(options)
     // Thread address here
-    await ac.load(options.address || 'thread-access-controller')
+    // console.log(options.address)
+    await ac.load(options.threadName)
     return ac
   }
 }

From e09d8a48898876f3bbe05327d652ed616bcf018a Mon Sep 17 00:00:00 2001
From: Zach Ferland <zachferland@gmail.com>
Date: Thu, 23 May 2019 09:55:34 -0400
Subject: [PATCH 10/10] feat: verify sigs and ref canAppend

---
 src/access/moderator-access.js       |  5 ++---
 src/access/thread-open-mod-access.js | 19 ++++++++++---------
 src/space.js                         |  5 +++--
 src/thread.js                        |  8 +++++---
 4 files changed, 20 insertions(+), 17 deletions(-)

diff --git a/src/access/moderator-access.js b/src/access/moderator-access.js
index 55d75632..70aac38b 100644
--- a/src/access/moderator-access.js
+++ b/src/access/moderator-access.js
@@ -32,10 +32,9 @@ class ModeratorAccessController {
     const isMod = this.isMod(entryID)
     const noMods = this._write.includes('*')
     const validCapability = isValidCapability(capability)
+    const validSig = () => identityProvider.verifyIdentity(entry.identity)
 
-    // TODO need to still validate sigs with identity provider, extend from other, or implement here
-
-    if ((noMods || isMod) && validCapability) {
+    if ((noMods || isMod) && validCapability && validSig()) {
       if (capability === this._capabilityType.moderator) this._write.push(modAddId)
       return true
     }
diff --git a/src/access/thread-open-mod-access.js b/src/access/thread-open-mod-access.js
index 6f7681bc..5fcd5f46 100644
--- a/src/access/thread-open-mod-access.js
+++ b/src/access/thread-open-mod-access.js
@@ -28,18 +28,19 @@ class ThreadAccessController {
   }
 
   async canAppend (entry, identityProvider) {
+    const trueIfValidSig = () => identityProvider.verifyIdentity(entry.identity)
+
     const op = entry.payload.op
     const mods = this.capabilities['mod']
-    const member = this.capabilities['member']
-
-    // TODO still need to verify sig with identity provider
+    const members = this.capabilities['member']
+    const isMod = members.includes(entry.identity.id)
+    const isMember = members.includes(entry.identity.id)
 
     if (op === 'ADD') {
       // Anyone can add entry if open thread
-      if (!this._members) { return true }
+      if (!this._members) return trueIfValidSig()
       // Not open thread, any member or mod can add to thread
-      if (members.includes(entry.identity.id)) { return true }
-      if (mods.includes(entry.identity.id)) { return true }
+      if (isMember || isMod) return trueIfValidSig()
     }
 
     if (op === 'DEL') {
@@ -47,13 +48,13 @@ class ThreadAccessController {
       const delEntry = await entryIPFS.fromMultihash(this._ipfs, hash)
 
       // An id can delete their own entries
-      if (delEntry.identity.id === entry.identity.id) { return true }
+      if (delEntry.identity.id === entry.identity.id) return trueIfValidSig()
 
       // Mods can't delete other mods entries
-      if (mods.includes(delEntry.identity.id)) { return false }
+      if (mods.includes(delEntry.identity.id)) return false
 
       // Mods can delete any other entries
-      if (mods.includes(entry.identity.id)) { return true }
+      if (isMod) return trueIfValidSig()
     }
 
     return false
diff --git a/src/space.js b/src/space.js
index 241086bb..f4a12942 100644
--- a/src/space.js
+++ b/src/space.js
@@ -56,7 +56,8 @@ class Space {
    *
    * @param     {String}    name                    The name of the thread
    * @param     {Object}    opts                    Optional parameters
-   * @param     {Object}    opts.membersOnly        join a members only thread, which only members can post in
+   * @param     {Boolean}   opts.membersOnly        join a members only thread, which only members can post in
+   * @param     {String}    opts.rootMod            the rootMod, known as first moderator of a thread, by default user is moderator
    * @param     {Boolean}   opts.noAutoSub          Disable auto subscription to the thread when posting to it (default false)
    *
    * @return    {Thread}                            An instance of the thread class for the joined thread
@@ -65,7 +66,7 @@ class Space {
     console.warn('WARNING: Threads are still experimental, we recommend not relying on this feature for produciton yet.')
     if (this._activeThreads[name]) return this._activeThreads[name]
     const subscribeFn = opts.noAutoSub ? () => {} : this.subscribeThread.bind(this, name)
-    const thread = new Thread(this._orbitdb, namesTothreadName(this._name, name), this._3id, opts.membersOnly, subscribeFn, this._ensureConnected)
+    const thread = new Thread(this._orbitdb, namesTothreadName(this._name, name), this._3id, opts.membersOnly, opts.rootMod, subscribeFn, this._ensureConnected)
     await thread._load()
     this._activeThreads[name] = thread
     return thread
diff --git a/src/thread.js b/src/thread.js
index acc198fa..1b485586 100644
--- a/src/thread.js
+++ b/src/thread.js
@@ -2,7 +2,7 @@ class Thread {
   /**
    * Please use **space.joinThread** to get the instance of this class
    */
-  constructor (orbitdb, name, threeId, membersOnly, subscribe, ensureConnected) {
+  constructor (orbitdb, name, threeId, membersOnly, rootMod, subscribe, ensureConnected) {
     this._orbitdb = orbitdb
     this._name = name
     this._3id = threeId
@@ -10,6 +10,7 @@ class Thread {
     this._ensureConnected = ensureConnected
     this._queuedNewPosts = []
     this._membersOnly = membersOnly
+    this._rootMod = rootMod || this._3id.getDid()
   }
 
   /**
@@ -145,8 +146,9 @@ class Thread {
       identity,
       accessController: {
         type: 'thread-access',
-        address: this._name,
-        members: this.membersOnly
+        threadName: this._name,
+        members: this.membersOnly,
+        rootMod: this.rootMod
       }
     })
     await this._db.load()