- From: Geoffrey M Clemm <geoffrey.clemm@us.ibm.com>
- Date: Mon, 2 Oct 2006 23:08:51 -0400
- To: "Tim Olsen" <tolsen718@gmail.com>
- Cc: w3c-dist-auth@w3.org, w3c-dist-auth-request@w3.org
Received on Tuesday, 3 October 2006 03:08:53 UTC
You could do either, but I'd suggest a 401 for each URL, to not expose to the client the information that x.gif and y.gif refer to the same resource. For example, suppose you had a collection with each of the nominees for a position, and a binding named "selected" to the one that was selected. But you didn't want to give anyone read access yet to see who was selected (but you wanted to let them see the collection, so they could see who was running). If you returned only one of the bindings, and that was the binding to "selected", then someone who new who was nominated could figure out who was selected by seeing which name was omitted in the 401 report. Cheers, Geoff Tim wrote on 10/02/2006 06:22:21 PM: > Hello, > > Here is an example from the BIND draft. > > Root Collection > bindings: > CollX > > | > > | > | > > Collection C1 > bindings: > x.gif y.gif > > | | > | | > > Resource R1 > > > > Let's say I do an infinite-depth copy on /CollX to /CollY, and I > have read permission on Collection C1, but not on Resource R1. In > my multistatus response, do I have to specify a 401 for each URL for > Resource R1 (/CollX/x.gif and /CollX/y.gif), or for just one of them? > > thanks, > Tim
Received on Tuesday, 3 October 2006 03:08:53 UTC