W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > October to December 2006

Re: DAV:read privilege and browsing

From: Wilfredo Sánchez Vega <wsanchez@wsanchez.net>
Date: Thu, 30 Nov 2006 22:18:53 -0800
Cc: WebDav WG <w3c-dist-auth@w3.org>, "'acl@webdav.org'" <acl@webdav.org>
Message-Id: <CDE8D349-96DE-4724-9A30-339A49A1B9A6@wsanchez.net>
To: Julian Reschke <julian.reschke@gmx.de>

On Nov 30, 2006, at 12:32 AM, Julian Reschke wrote:

>>   I obviously shouldn't be able to read (all of?) the child's  
>> properties, but there is some merit to wanting to be able to see  
>> that the child's URI is present, even if I can't read the child's  
>> properties
> Right.
>> or content.  I might even want to expose the DAV:resource-type  
>> property so you can tell if it's a collection, etc.
> I don't think RFC3744 would allow the latter, even though I would  
> consider it harmless...

   My read leads to the same conclusion.

>>   This also nominally affects GET, when I'm rendering a directory  
>> listing of the parent.  I'd like to show all children, but if you  
>> aren't allowed to see them in PROPFIND, it makes sense that they  
>> should be hidden from the rendered listing as well.
> Correct. I personally think they should appear in both, potentially  
> marked up as non-accessible (greyed out...).

   OK, that's where I was heading.  Cyrus had the same concern as  
Kevin; that the file name may itself contain sensitive information,  
and basically cited the same "FIRE-KEVIN.doc" example.  :-)  I'm  
willing to live with that, though; there is plenty of precedent there  
(eg. file systems).

   Thanks for the feedback.


Received on Friday, 1 December 2006 06:19:17 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 15:01:36 UTC