W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > October to December 2006

DAV:read privilege and browsing

From: Wilfredo Sánchez Vega <wsanchez@wsanchez.net>
Date: Tue, 28 Nov 2006 15:24:10 -0800
Message-Id: <483537ED-F377-4F8E-A9F2-92A65AB92B5D@wsanchez.net>
To: WebDav WG <w3c-dist-auth@w3.org>
   I'm looking for a bit of guidance as to the DAV:read privilege and  
its effect on PROPFIND.

   If I don't have DAV:read on a resource, but I do have DAV:read on  
its parent collection, when I do a PROPFIND with depth=1 on the  
parent, should I be able to see the child?

   It's not clear to me from the ACL spec what I can or can not expose  
without DAV:read.  My interpretation is that DAV:read on the parent  
means you can read its list of children.

   I obviously shouldn't be able to read (all of?) the child's  
properties, but there is some merit to wanting to be able to see that  
the child's URI is present, even if I can't read the child's  
properties or content.  I might even want to expose the DAV:resource- 
type property so you can tell if it's a collection, etc.

   This also nominally affects GET, when I'm rendering a directory  
listing of the parent.  I'd like to show all children, but if you  
aren't allowed to see them in PROPFIND, it makes sense that they  
should be hidden from the rendered listing as well.

   Varying the GET result on the authentication is problematic from a  
user experience point of view.  If an unauthenticated request is  
allowed to see some children, I'll only see part of what I would see  
if I authenticated, but the browser won't be asked to authenticate  
because then unauthenticated users wouldn't be able to see the parent  
at all.

	-wsv




Received on Thursday, 30 November 2006 01:27:32 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:44:15 GMT