W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > October to December 2001

RE: PROPFIND behaviour regarding collections with non-listable me mbers

From: Jason Crawford <ccjason@us.ibm.com>
Date: Mon, 15 Oct 2001 19:40:01 -0400
To: Daniel Brotsky <dbrotsky@adobe.com>
Cc: "Webdav WG" <w3c-dist-auth@w3c.org>
Message-ID: <OF01BEAD45.56713F52-ON85256AE6.00813681@pok.ibm.com>

<<DB says...
When security is so tight that people aren't allowed to even know
about the existence or non-existence of members, these cases (a
collection that's empty versus one that contains members "invisible
to you") aren't supposed to be distinguishable.  To see this,
consider the case where a collection has some visible and some
invisible members (from a particular user's point of view): just the
visible members should be listed.

But I think there's an entirely different spec issue here: whether or
not DAV collections can hide the existence of members at all.
Section 8.1 on PROPFIND says:

    Consequently, the multistatus XML element for a collection resource
    with member URIs MUST include a response XML element for each member
    URI of the collection, to whatever depth was requested. Each response
    XML element MUST contain an href XML element that gives the URI of
    the resource on which the properties in the prop XML element are
    defined.
>>

But I think we agree that if someone isn't allowed to see if an element
exists, then you simply don't list it as a member of a collection.
(FWIW... They might of course find out some other way if a given URL is
mapped.)

So do we want to fix up the spec, defer the clarification, or let it go?

J.
Received on Monday, 15 October 2001 19:58:07 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:43:58 GMT