Mr. Demeanour wrote: > Hi, > > The UNLOCK method requires the <unlock/> privilege, unless the user is > the owner of the lock, in which case no privilege is required (just the > lock token). Yes. > How is it possible to tell whether the owner of a lock is the current > user? If the user is authenticated, then he is a principal; but there is > nothing to link the owner of a lock to a principal, since the <owner> > element is defined to contain an arbitrary string. Yes. What you're looking for is the *creator* of the lock (<http://greenbytes.de/tech/webdav/draft-ietf-webdav-rfc2518bis-18.html#lock-creator>), which is not exposed with the lock. > So is it intended that the <owner> for a lock is simply anyone who has a > copy of the token? But anyone can get the token, just by doing > lockdiscovery. No, that's not the intention. > So when is the <unlock/> privilege required? Does any existing server > enforce the <unlock/> privilege? The one we wrote certainly does, and I expect the same applies to many others. How is this a problem? Best regards, JulianReceived on Monday, 28 May 2007 17:49:21 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:44:15 GMT