W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > January to March 2007

Re: bind, inherited locks, and access control

From: Julian Reschke <julian.reschke@gmx.de>
Date: Thu, 11 Jan 2007 22:53:46 +0100
Message-ID: <45A6B1EA.8070802@gmx.de>
To: Tim Olsen <tolsen718@gmail.com>
CC: w3c-dist-auth@w3.org

Tim Olsen schrieb:
> 
> Hi,
> 
> Let's say a user has an infinite-depth lock on collection C.  There is
> a resource R under a different collection for which the user does not
> have DAV:write-content permission on (which is normally needed to
> perform LOCK on).  Can the user BIND the resource R under C (thereby
> having R inherit the lock) with only DAV:bind permission on C?  Or is
> DAV:write-content permission also required on R ?

I'm tempted to say "edge case", thus it depends.

A server could allow the BIND, but that wouldn't affect the permissions, 
thus the resource wouldn't suddenly become writable by somebody else.

Or it could reject the request.

The important thing here is that the BIND request can't be used work 
around the security model, which seems be the case in both cases.

Best regards, Julian
Received on Thursday, 11 January 2007 21:53:52 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:44:15 GMT