RE: PROPFIND behaviour regarding collections with non-listable me mbers from Lisa Dusseault on 2001-10-12 (w3c-dist-auth@w3.org from October to December 2001)

From: Lisa Dusseault <lisa@xythos.com>
Date: Fri, 12 Oct 2001 13:28:03 -0700
To: "Clemm, Geoff" <gclemm@Rational.Com>, "Webdav WG" <w3c-dist-auth@w3c.org>
Message-ID: <HPELJFCBPHIPBEJDHKGKGEJFCOAA.lisa@xythos.com>

The Xythos WFS approach to this problem is the former described by Geoff.
If you don't have permission to view anything inside a directory but you do
have permission to view the directory, then the directory will appear empty.

lisa

> -----Original Message-----
> From: w3c-dist-auth-request@w3.org
> [mailto:w3c-dist-auth-request@w3.org]On Behalf Of Clemm, Geoff
> Sent: Friday, October 12, 2001 11:54 AM
> To: Webdav WG
> Subject: RE: PROPFIND behaviour regarding collections with non-listable
> me mbers
>
>
> Depends on what you mean by "has the right to list the collection
> but not its members".  If the client does not have the right to even
> see the names of the members, then the collection should just look
> empty, since the client should not be able to even know it has
> members.  If the client has the right to see the name of members
> but not to see the properties of members, then listing their names
> with the Forbidden status seems reasonable to me.
>
> Cheers,
> Geoff
>
> -----Original Message-----
> From: Julian Reschke [mailto:julian.reschke@gmx.de]
> Sent: Friday, October 12, 2001 7:33 AM
> To: Webdav WG
> Subject: PROPFIND behaviour regarding collections with non-listable
> members
>
>
> I think we have identified something that needs to be clarified
> in RFC2518:
>
> Given a collection X, where the principal does have rights to list the
> collection itself, but not it's members.
>
> Currently our server will distinguish between depth 0 and 1, that is a
> PROPFIND with depth 0 will report the collection (and it's properties) OK,
> while a PROPFIND with depth 1 will result in something like:
>
> <response>
> 	<href>X</href>
> 	<status>HTTP/1.1 403 Forbidden</status>
> </response>
>
> This is because once a response element for X is available,
> there's no other
> way to distinguish between the case where the collection actually
> is empty,
> or the collection is non-empty, but the principal doesn't have
> the right to
> list it's members.
>
> Feedback appreciated.
>
> Julian

Received on Friday, 12 October 2001 16:29:09 UTC