W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > July to September 2006

Re: RFC 3744: deny-before-grant required?

From: Geoffrey M Clemm <geoffrey.clemm@us.ibm.com>
Date: Sat, 1 Jul 2006 13:06:55 -0400
To: Julian Reschke <julian.reschke@gmx.de>
Cc: Tim Olsen <tolsen718@gmail.com>, w3c-dist-auth@w3.org
Message-ID: <OF68F6A8CC.8075BE06-ON8525719E.005DF0F9-8525719E.005E0468@us.ibm.com> 

Yes, that looks like a bug to me as well, and I would fix it as Julian
suggests.
Cheers,
Geoff

Julian wrote on 07/01/2006 04:13:27 AM:
>
> Tim Olsen schrieb:
> >
> > Section 8.1.1
> > (http://greenbytes.de/tech/webdav/rfc3744.html#acl.preconditions)
> > of RFC 3744 specifies that deny-before-grant is a requirement.  It
> > does not follow this with a condition stating that it only applies if
> > the constraint is set, as is done for grant-only and no-invert.
> >
> > Is this omission of a condition under which this preconditon holds
> > intentional?  Is deny-before-grant a requirement?
>
> I don't think it is, that is, I think you have found a bug in the spec.
>
> So I would propose to change the description to:
>
> "(DAV:deny-before-grant): All non-inherited deny ACEs MUST precede all
> non-inherited grant ACEs. This precondition applies only when the ACL
> restrictions of the resource include the DAV:deny-before-grant
> constraint (defined in Section 5.6.3)."
>
> (Geoff, please confirm :-))
Received on Saturday, 1 July 2006 17:21:07 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 12 October 2007 17:53:26 GMT