- From: Elias Sinderson <elias@soe.ucsc.edu>
- Date: Tue, 31 Jan 2006 23:10:18 -0800
- To: w3c-dist-auth@w3.org
bugzilla@soe.ucsc.edu wrote: >http://ietf.cse.ucsc.edu:8080/bugzilla/show_bug.cgi?id=226 >------- Additional Comments From geoffrey.clemm@us.ibm.com 2006-01-30 07:34 ------- > > >>Given an unmapped URL "/x", will the condition in >> If: </x> (Not <DAV:foobar>) >>evaluate to true or false? >> >> >Since "If: </x> <DAV:foobar>" would evaluate to "false", unless we adjust the >definition of NOT, this has to evaluate to "true". > > Agreed. >>To complicate things, what's the situation for a URL that is mapped, but for >>which the authenticated principal lacks access rights? >> >> >As above, it would just be the opposite of what "If: </x> <DAV:foobar>" would >evaluate to. But there remains the question of what "If: </x> <DAV:foobar>" >would evaluate to. The guiding priciple here is probably avoiding exposing >information to unauthorized users. So an inability to see the object should >probably be treated the same as the object not existing, so NOT would >return "true". > I also agree with the above -- especially wrt the security implications therein. Is it worth mentioning this somewhere in bis? Best, Elias
Received on Wednesday, 1 February 2006 07:10:32 UTC