- From: Дилян Палаузов <dilyan.palauzov@aegee.org>
- Date: Mon, 25 Jun 2018 23:53:45 +0000
- To: "Roy T. Fielding" <fielding@gbiv.com>
- Cc: ietf-http-wg@w3.org
Hello, how is Allow: different from WebDAV ACL "DAV:current-user-privilege- set" [ https://tools.ietf.org/html/rfc3744#section-5.4 ]: "DAV:current-user- privilege-set is a protected property containing the exact set of privileges (as computed by the server) granted to the currently authenticated HTTP user."? The WebDav privileges can also change depending on the time of the day, or have different effective permissions being called from laptop or watch, or use other means to authenticate, after the PROPFIND for the resoure was called. Why does it make sense to return DAV:unbind depending on the authentication, but not Allow: DELETE under the same conditions? Regards Дилян On Mon, 2018-06-25 at 15:44 -0700, Roy T. Fielding wrote: > > On Jun 25, 2018, at 2:29 PM, Дилян Палаузов <dilyan.palauzov@aegee. > > org> wrote: > > > > Hello, > > > > https://tools.ietf.org/html/rfc7231#section-7.4.1 "Allow header" > > says: > > [ > > > > The "Allow" header field lists the set of methods advertised as > > supported by the target resource. The purpose of this field is > > strictly > > to inform the recipient of valid request methods associated with > > the > > resource. > > > > ] Because the text above does not say anything about authorizaion, > > one > > possible implementation of Allow is to return the same method list > > to > > all - authenticated and not authenticated - clients. > > It says nothing about it because that is a choice for the resource in > question. > > > What would be the use of a returned > > Allow: GET, HEAD, DELETE > > to a client, if the client is authenticated at the time the request > > is > > made and the server knows that with the provided > > authentication/authorization the client cannot perform DELETE? > > Because they might do their DELETE using a different set of > credentials than > in the initial GET. Or maybe the authorization is based on time-of- > day instead > of fixed roles. Or maybe the DELETE only works when initiated by > their watch > instead of their laptop. Or maybe the server just doesn't care that > an unauthorized > DELETE will encounter a 401 response. Or maybe it's a honey trap. > > The Allow field doesn't talk about access control or authorization > because > they are not part of its definition. However, a server can choose to > advertise > whatever method it wants, for whatever reason it chooses to do so. > > ....Roy >
Received on Monday, 25 June 2018 23:54:18 UTC