W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > April to June 2007

Re: [ACL] Lock owners

From: Julian Reschke <julian.reschke@gmx.de>
Date: Mon, 28 May 2007 19:48:52 +0200
Message-ID: <465B1604.2050901@gmx.de>
To: "Mr. Demeanour" <mrdemeanour@jackpot.uk.net>
CC: acl@webdav.org, WebDAV <w3c-dist-auth@w3.org>

Mr. Demeanour wrote:
> Hi,
> 
> The UNLOCK method requires the <unlock/> privilege, unless the user is
> the owner of the lock, in which case no privilege is required (just the
> lock token).

Yes.

> How is it possible to tell whether the owner of a lock is the current
> user? If the user is authenticated, then he is a principal; but there is
> nothing to link the owner of a lock to a principal, since the <owner>
> element is defined to contain an arbitrary string.

Yes. What you're looking for is the *creator* of the lock 
(<http://greenbytes.de/tech/webdav/draft-ietf-webdav-rfc2518bis-18.html#lock-creator>), 
which is not exposed with the lock.

> So is it intended that the <owner> for a lock is simply anyone who has a
> copy of the token? But anyone can get the token, just by doing
> lockdiscovery.

No, that's not the intention.

> So when is the <unlock/> privilege required? Does any existing server
> enforce the <unlock/> privilege?

The one we wrote certainly does, and I expect the same applies to many 
others.

How is this a problem?

Best regards, Julian
Received on Monday, 28 May 2007 17:49:21 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:44:15 GMT