W3C home > Mailing lists > Public > www-talk@w3.org > January to February 2009

Re: Users with different access rights in HTTP Authentication

From: Julian Reschke <julian.reschke@gmx.de>
Date: Sat, 21 Feb 2009 20:24:38 +0100
Message-ID: <49A054F6.1040805@gmx.de>
To: Martin Atkins <mart@degeneration.co.uk>
CC: www-talk@w3.org
Martin Atkins wrote:
>>> * Return 405 Method Not Allowed, and indicate in the "Allow" response 
>>> header the methods that this particular authenticated user is allowed 
>>> to perform. (i.e. Allow: GET)
>>
>> The description for 405 is not very clear, but the one for "Allow" is 
>> (IMHO):
>>
>> "The Allow entity-header field lists the set of methods supported by 
>> the resource identified by the Request-URI." -- 
>> <http://greenbytes.de/tech/webdav/rfc2616.html#rfc.section.14.7>
>>
>> So no, this doesn't fit.
>>
> 
> So I guess the thought here is that the text says "methods supported" 
> rather than "methods allowed", which implies that it is not user-sensitive.

Yes.

> If Allow is not supposed to reflect the access rights of the remote 
> user, can you suggest an alternative mechanism by which I can tell the 
> client "You can GET but you don't have access to PUT or DELETE?"

You mean, without trying? RFC 3744 is one potential answer, if you can 
accept a WebDAV basis.

> ...

BR, Julian
Received on Saturday, 21 February 2009 19:25:27 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 27 October 2010 18:14:30 GMT