- From: Jason Crawford <ccjason@us.ibm.com>
- Date: Mon, 15 Oct 2001 19:40:01 -0400
- To: Daniel Brotsky <dbrotsky@adobe.com>
- Cc: "Webdav WG" <w3c-dist-auth@w3c.org>
<<DB says... When security is so tight that people aren't allowed to even know about the existence or non-existence of members, these cases (a collection that's empty versus one that contains members "invisible to you") aren't supposed to be distinguishable. To see this, consider the case where a collection has some visible and some invisible members (from a particular user's point of view): just the visible members should be listed. But I think there's an entirely different spec issue here: whether or not DAV collections can hide the existence of members at all. Section 8.1 on PROPFIND says: Consequently, the multistatus XML element for a collection resource with member URIs MUST include a response XML element for each member URI of the collection, to whatever depth was requested. Each response XML element MUST contain an href XML element that gives the URI of the resource on which the properties in the prop XML element are defined. >> But I think we agree that if someone isn't allowed to see if an element exists, then you simply don't list it as a member of a collection. (FWIW... They might of course find out some other way if a given URL is mapped.) So do we want to fix up the spec, defer the clarification, or let it go? J.
Received on Monday, 15 October 2001 19:58:07 UTC