- From: Geoffrey M Clemm <geoffrey.clemm@us.ibm.com>
- Date: Sat, 1 Jul 2006 13:06:55 -0400
- To: Julian Reschke <julian.reschke@gmx.de>
- Cc: Tim Olsen <tolsen718@gmail.com>, w3c-dist-auth@w3.org
Yes, that looks like a bug to me as well, and I would fix it as Julian suggests. Cheers, Geoff Julian wrote on 07/01/2006 04:13:27 AM: > > Tim Olsen schrieb: > > > > Section 8.1.1 > > (http://greenbytes.de/tech/webdav/rfc3744.html#acl.preconditions) > > of RFC 3744 specifies that deny-before-grant is a requirement. It > > does not follow this with a condition stating that it only applies if > > the constraint is set, as is done for grant-only and no-invert. > > > > Is this omission of a condition under which this preconditon holds > > intentional? Is deny-before-grant a requirement? > > I don't think it is, that is, I think you have found a bug in the spec. > > So I would propose to change the description to: > > "(DAV:deny-before-grant): All non-inherited deny ACEs MUST precede all > non-inherited grant ACEs. This precondition applies only when the ACL > restrictions of the resource include the DAV:deny-before-grant > constraint (defined in Section 5.6.3)." > > (Geoff, please confirm :-))
Received on Saturday, 1 July 2006 17:21:07 UTC