W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > January to March 2002


From: Lisa Dusseault <lisa@xythos.com>
Date: Mon, 14 Jan 2002 11:25:55 -0800
To: "Clemm, Geoff" <gclemm@Rational.Com>, <w3c-dist-auth@w3c.org>

Geoff said:
> The client should never automatically reuse a lock taken out
> by another client (irrespective of whether or not it was another
> client with the same authentication credentials), but should only
> steal another client's lock on explicit request by the user.

Not even that liberal: the client should only *remove* another client's lock
on explicit request by the user.  The client should never reuse another
client's lock.  Ever.  (The ambiguity may just be in the word steal - I'm
not sure what you intend here Geoff)

> So I agree that information about the user that took out the lock
> is required, but this info is available in the DAV:owner field.

No, this info is not necessarily available in the DAV:owner field.  Because
the client can submit this field, the client can submit bogus information,
and it's not necessarily possible for the server to decide if the
information is bogus.

> The only reason this information needs to be supplemented, is to
> let the client know whether or not the user will in fact be allowed
> to steal the lock (assuming that he/she wants to), and that is the
> info provided by the DAV:can-lock and DAV:can-unlock privileges.

It's not necessarily an issue of privilege, it may be an issue of system
policy.  I'm not sure if using can-lock and can-unlock privileges addresses

Received on Monday, 14 January 2002 14:28:28 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 15:01:24 UTC