- From: Jason Crawford <ccjason@us.ibm.com>
- Date: Wed, 28 Apr 2004 19:53:35 -0400
- To: Webdav WG <nnw3c-dist-auth___at___w3c.org@smallcue.com>
- Cc:
Received on Wednesday, 28 April 2004 20:07:06 UTC
> > From my point of view: > > > > - There are no restrictions on who a server allows to UNLOCK using a > > "stolen" lock token. It MAY restrict it to the "owner" of the lock, to > > the owner and principals holding the DAV:unlock privilege, or not > > restrict it at all. In particular, there's no requirement that for > > each lock token there actually *is* an "authenticated owner" (unless > > you count the ACL specs's "DAV:unauthenticated"). > > > > - On the other hand, submitting the lock token in an If header (usages > > != UNLOCK) SHOULD be restricted to whatever the server thinks the > > "owner" of the lock is. > > > > Does this make sense? I began writing this note intending to suggest that we at least encourage some checking of the principal, but after further reflection, I think simply mentioning the options as you just did should be sufficient. It should be clear to the reader that there are benefits to making the checks without us pushing for that. J.
Received on Wednesday, 28 April 2004 20:07:06 UTC