W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > July to September 2006

Re: RFC 3744: deny-before-grant required?

From: Julian Reschke <julian.reschke@gmx.de>
Date: Sat, 01 Jul 2006 10:13:27 +0200
Message-ID: <44A62EA7.2090001@gmx.de>
To: Tim Olsen <tolsen718@gmail.com>
CC: w3c-dist-auth@w3.org

Tim Olsen schrieb:
> Section 8.1.1 
> (http://greenbytes.de/tech/webdav/rfc3744.html#acl.preconditions)
> of RFC 3744 specifies that deny-before-grant is a requirement.  It
> does not follow this with a condition stating that it only applies if
> the constraint is set, as is done for grant-only and no-invert.
> Is this omission of a condition under which this preconditon holds
> intentional?  Is deny-before-grant a requirement?

I don't think it is, that is, I think you have found a bug in the spec.

So I would propose to change the description to:

"(DAV:deny-before-grant): All non-inherited deny ACEs MUST precede all 
non-inherited grant ACEs. This precondition applies only when the ACL 
restrictions of the resource include the DAV:deny-before-grant 
constraint (defined in Section 5.6.3)."

(Geoff, please confirm :-))

Best regards, Julian
Received on Saturday, 1 July 2006 08:13:48 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 20:01:40 UTC