RE: Notes from DAV meeting from Clemm, Geoff on 2001-08-15 (w3c-dist-auth@w3.org from July to September 2001)

From: Clemm, Geoff <gclemm@rational.com>
Date: Wed, 15 Aug 2001 09:56:18 -0400
To: Webdav WG <w3c-dist-auth@w3c.org>
Message-ID: <3906C56A7BD1F54593344C05BD1374B103F4875F@SUS-MA1IT01>

   From: Hall, Shaun [mailto:Shaun.Hall@gbr.xerox.com]

I agree with all of Shaun's comments, except for:

   > - Lock Permissions -
   > Consensus around: Users other than lock creators MAY be able to
   > UNLOCK a resource by discovering and using the correct lock
   > token.

   Assuming your are referring to "ordinary" users i.e. not say when
   an Administrator removes a lock because an employee has left the
   company sort of thing:

   I strongly disagree with this. It should not be allowed at all.

I strongly agree with the consensus opinion.

A client holding a lock already has to deal with locks being lost
through timeouts.  Allowing another client to effectively force the
timeout is a valuable feature that does not increase the complexity of
the locking client.  A server can use access control to control what
users have permission to force the timeout.

   I know locks can disappear at any time, but it could cause problems
   for example ...

Any such problem already occurs because of timeouts, so clients have to
deal with all these situations anyway.  Allowing a client to force
a timeout decreases the need to have an automatic server timeout,
and therefore this capability will actually decrease the number of
unnecessary timeouts (since the server can be written to assume that
timeouts will be forced by clients that need them).

   > Servers should never allow users other than lock creaters to
   > update a locked resource, even if they use the correct lock
   > token.

   I know what this statement is meant to mean, but one could say this 2nd
   statement contradicts the 1st because the new lock creator is not the
   original lock creator.

The "update" here means "update the content or dead properties".
An UNLOCK does not update the content or dead properties, and therefore
these two statements are consistent.  The term "update" could be
clarified, to make sure there is no misunderstanding.

   After all, look at the confusion "null resource" caused.

I don't see the relationship between forced lock timeouts and null
resources.

Cheers,
Geoff

Received on Wednesday, 15 August 2001 09:47:02 UTC