W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > January to March 2007

Re: bind, inherited locks, and access control

From: Tim Olsen <tolsen718@gmail.com>
Date: Thu, 11 Jan 2007 19:15:38 -0500
Message-ID: <4be80d840701111615i56d407fayddbd9272d4de87a8@mail.gmail.com>
To: "Julian Reschke" <julian.reschke@gmx.de>
Cc: w3c-dist-auth@w3.org

On 1/11/07, Julian Reschke <julian.reschke@gmx.de> wrote:
> Tim Olsen schrieb:
> >
> > Hi,
> >
> > Let's say a user has an infinite-depth lock on collection C.  There is
> > a resource R under a different collection for which the user does not
> > have DAV:write-content permission on (which is normally needed to
> > perform LOCK on).  Can the user BIND the resource R under C (thereby
> > having R inherit the lock) with only DAV:bind permission on C?  Or is
> > DAV:write-content permission also required on R ?
>
> I'm tempted to say "edge case", thus it depends.
>
> A server could allow the BIND, but that wouldn't affect the permissions,
> thus the resource wouldn't suddenly become writable by somebody else.
>
> Or it could reject the request.
>
> The important thing here is that the BIND request can't be used work
> around the security model, which seems be the case in both cases.


But if the server allows the BIND then the user can exclusively lock
any resource just by binding it under a locked collection that he or
she owns.  Maybe it's best then to require DAV:write-content as well

-Tim

>
> Best regards, Julian
>
Received on Friday, 12 January 2007 00:15:43 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:44:15 GMT