W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > January to March 2007

Re: bind, inherited locks, and access control

From: Julian Reschke <julian.reschke@gmx.de>
Date: Fri, 12 Jan 2007 10:09:41 +0100
Message-ID: <45A75055.4020106@gmx.de>
To: Tim Olsen <tolsen718@gmail.com>
CC: w3c-dist-auth@w3.org

Tim Olsen schrieb:
>> I'm tempted to say "edge case", thus it depends.
>>
>> A server could allow the BIND, but that wouldn't affect the permissions,
>> thus the resource wouldn't suddenly become writable by somebody else.
>>
>> Or it could reject the request.
>>
>> The important thing here is that the BIND request can't be used work
>> around the security model, which seems be the case in both cases.
> 
> 
> But if the server allows the BIND then the user can exclusively lock
> any resource just by binding it under a locked collection that he or
> she owns.  Maybe it's best then to require DAV:write-content as well
 > ...

Yep. I know that some people will say "interop" problem, so some more 
thoughts on this:

- As long as the server's behaviour doesn't cause a security problem, 
it's IMHO fine.

- If the request fails, the response body will tell the client why it 
didn (if compliant with RFC3744).

- Finally, this really has nothing to do with BIND. Replace BIND with 
MOVE and the same issue surfaces.

Best regards, Julian
Received on Friday, 12 January 2007 09:09:54 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:44:15 GMT