- From: Lisa Dusseault <lisa@xythos.com>
- Date: Mon, 14 Jan 2002 11:25:55 -0800
- To: "Clemm, Geoff" <gclemm@Rational.Com>, <w3c-dist-auth@w3c.org>
Geoff said: > The client should never automatically reuse a lock taken out > by another client (irrespective of whether or not it was another > client with the same authentication credentials), but should only > steal another client's lock on explicit request by the user. Not even that liberal: the client should only *remove* another client's lock on explicit request by the user. The client should never reuse another client's lock. Ever. (The ambiguity may just be in the word steal - I'm not sure what you intend here Geoff) > So I agree that information about the user that took out the lock > is required, but this info is available in the DAV:owner field. No, this info is not necessarily available in the DAV:owner field. Because the client can submit this field, the client can submit bogus information, and it's not necessarily possible for the server to decide if the information is bogus. > The only reason this information needs to be supplemented, is to > let the client know whether or not the user will in fact be allowed > to steal the lock (assuming that he/she wants to), and that is the > info provided by the DAV:can-lock and DAV:can-unlock privileges. It's not necessarily an issue of privilege, it may be an issue of system policy. I'm not sure if using can-lock and can-unlock privileges addresses that. lisa
Received on Monday, 14 January 2002 14:28:28 UTC