W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2018

Re: Allow header after Authentication

From: Roy T. Fielding <fielding@gbiv.com>
Date: Tue, 26 Jun 2018 11:29:27 -0700
Cc: ietf-http-wg@w3.org
Message-Id: <9595CFDD-8793-4639-AEAE-508DB791D5E9@gbiv.com>
To: Дилян Палаузов <dilyan.palauzov@aegee.org>
> On Jun 25, 2018, at 4:53 PM, Дилян Палаузов <dilyan.palauzov@aegee.org> wrote:
> Hello,
> how is Allow: different from WebDAV ACL "DAV:current-user-privilege-
> set" [
> https://tools.ietf.org/html/rfc3744#section-5.4 ]: "DAV:current-user-
> privilege-set is a protected property containing the exact set of
> privileges (as computed by the server) granted to the currently
> authenticated HTTP user."?

They have completely different definitions for different purposes.

> The WebDav privileges can also change depending on the time of the day,
> or have different effective permissions being called from laptop or
> watch, or use other means to authenticate, after the PROPFIND for the
> resoure was called.
> Why does it make sense to return DAV:unbind depending on the
> authentication, but not Allow: DELETE under the same conditions?

Because, regardless of its name, Allow has nothing to do with authentication
unless a given resource chooses to make it so.

To be clear, we are talking about historical artifacts that have a specific,
defined meaning.  Whether or not those meanings are consistent among two
entirely different features of entirely different specifications is not even
remotely open to debate at this point.  Nor is it a question of logic, sense,
or even what might be more useful.  These are already-defined terms in
an already-deployed language.

Received on Tuesday, 26 June 2018 18:30:17 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:15:21 UTC