Re: PROPFIND Depth:1 and ACLs from Werner Donné on 2007-05-14 (w3c-dist-auth@w3.org from April to June 2007)

From: Werner Donné <werner.donne@re.be>
Date: Mon, 14 May 2007 21:59:11 +0200
To: w3c-dist-auth@w3.org
Message-ID: <4648BF8F.4010108@re.be>

Hi,

Section 8.2 of RFC 2518bis has two paragraphs which say:

"If there is an error retrieving a property then a proper error
  result MUST be included in the response.  A request to retrieve the
  value of a property which does not exist is an error and MUST be
  noted, if the response uses a multistatus XML element, with a
  response XML element which contains a 404 (Not Found) status value.

  Consequently, the multistatus XML element for a collection resource
  with member URLs MUST include a response XML element for each member
  URL of the collection, to whatever depth was requested. Each
  response XML element MUST contain an href XML element that gives the
  URL of the resource on which the properties in the prop XML element
  are defined.  URLs for collections appearing in the results MUST end
  in a slash character.  Results for a PROPFIND on a collection
  resource with internal member URLs are returned as a flat list whose
  order of entries is not significant."

This mandates a response element for resource B.

It further also says:

"Properties may be subject to access control. In the case of allprop
  and propname, if a principal does not have the right to know whether
  a particular property exists then the property should be silently
  excluded from the response."

This still doesn't allow for omitting a response element. At most a
property can be left out.

My conclusion is that when you have the read privilege on a collection,
you have the right to see its entire contents, i.e. all of its members.
There is no notion of a partial read privilege.

The problem, however, is that there is no method to retrieve the
contents of a collection. You have to use PROPFIND with which you
can't request for an empty set of properties. You have to ask for
something, which means you always request the collection contents
together with information about its members. In the case the principal
doesn't have the read privilege for some member, a 403 status code should
be placed in its response element. According to the content model
of the "response" element it can be done with a "status" element
directly under "response", so no property names have to be exposed.
It anyway doesn't make sense to set the status for each property,
because RFC 3744 doesn't allow to set privileges on individual
properties.

Note that having to use PROPFIND to retrieve the contents of a
collection has a serious impact on performance when ACLs are supported.

Regards,

Werner.
-- 
Werner Donné  --  Re
Engelbeekstraat 8
B-3300 Tienen
tel: (+32) 486 425803	e-mail: werner.donne@re.be

Received on Monday, 14 May 2007 19:58:40 UTC