- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Wed, 01 Feb 2006 14:38:06 +0100
- To: Elias Sinderson <elias@soe.ucsc.edu>
- CC: w3c-dist-auth@w3.org
Elias Sinderson wrote: > > bugzilla@soe.ucsc.edu wrote: > >> http://ietf.cse.ucsc.edu:8080/bugzilla/show_bug.cgi?id=226 >> ------- Additional Comments From geoffrey.clemm@us.ibm.com 2006-01-30 >> 07:34 ------- >> >> >>> Given an unmapped URL "/x", will the condition in >>> If: </x> (Not <DAV:foobar>) >>> evaluate to true or false? >>> >> Since "If: </x> <DAV:foobar>" would evaluate to "false", unless we >> adjust the definition of NOT, this has to evaluate to "true". >> >> > Agreed. > >>> To complicate things, what's the situation for a URL that is mapped, >>> but for >>> which the authenticated principal lacks access rights? >>> >> As above, it would just be the opposite of what "If: </x> >> <DAV:foobar>" would evaluate to. But there remains the question of >> what "If: </x> <DAV:foobar>" would evaluate to. The guiding priciple >> here is probably avoiding exposing information to unauthorized users. >> So an inability to see the object should probably be treated the same >> as the object not existing, so NOT would return "true". >> > I also agree with the above -- especially wrt the security implications > therein. > > Is it worth mentioning this somewhere in bis? I agree with the analysis, and I think we needs to at least clarify the matching for unmapped URLs. Best regards, Julian
Received on Wednesday, 1 February 2006 13:40:45 UTC