Tim Olsen schrieb: >> I'm tempted to say "edge case", thus it depends. >> >> A server could allow the BIND, but that wouldn't affect the permissions, >> thus the resource wouldn't suddenly become writable by somebody else. >> >> Or it could reject the request. >> >> The important thing here is that the BIND request can't be used work >> around the security model, which seems be the case in both cases. > > > But if the server allows the BIND then the user can exclusively lock > any resource just by binding it under a locked collection that he or > she owns. Maybe it's best then to require DAV:write-content as well > ... Yep. I know that some people will say "interop" problem, so some more thoughts on this: - As long as the server's behaviour doesn't cause a security problem, it's IMHO fine. - If the request fails, the response body will tell the client why it didn (if compliant with RFC3744). - Finally, this really has nothing to do with BIND. Replace BIND with MOVE and the same issue surfaces. Best regards, JulianReceived on Friday, 12 January 2007 09:09:54 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 12 October 2007 17:53:27 GMT