- From: Wilfredo Sánchez Vega <wsanchez@wsanchez.net>
- Date: Tue, 28 Nov 2006 15:24:10 -0800
- To: WebDav WG <w3c-dist-auth@w3.org>
- Message-Id: <483537ED-F377-4F8E-A9F2-92A65AB92B5D@wsanchez.net>
I'm looking for a bit of guidance as to the DAV:read privilege and its effect on PROPFIND. If I don't have DAV:read on a resource, but I do have DAV:read on its parent collection, when I do a PROPFIND with depth=1 on the parent, should I be able to see the child? It's not clear to me from the ACL spec what I can or can not expose without DAV:read. My interpretation is that DAV:read on the parent means you can read its list of children. I obviously shouldn't be able to read (all of?) the child's properties, but there is some merit to wanting to be able to see that the child's URI is present, even if I can't read the child's properties or content. I might even want to expose the DAV:resource- type property so you can tell if it's a collection, etc. This also nominally affects GET, when I'm rendering a directory listing of the parent. I'd like to show all children, but if you aren't allowed to see them in PROPFIND, it makes sense that they should be hidden from the rendered listing as well. Varying the GET result on the authentication is problematic from a user experience point of view. If an unauthenticated request is allowed to see some children, I'll only see part of what I would see if I authenticated, but the browser won't be asked to authenticate because then unauthenticated users wouldn't be able to see the parent at all. -wsv
Attachments
- application/pkcs7-signature attachment: smime.p7s
Received on Thursday, 30 November 2006 01:27:32 UTC