Re: DAV:read privilege and browsing

On Nov 30, 2006, at 12:32 AM, Julian Reschke wrote:

>>   I obviously shouldn't be able to read (all of?) the child's  
>> properties, but there is some merit to wanting to be able to see  
>> that the child's URI is present, even if I can't read the child's  
>> properties
>
> Right.
>
>> or content.  I might even want to expose the DAV:resource-type  
>> property so you can tell if it's a collection, etc.
>
> I don't think RFC3744 would allow the latter, even though I would  
> consider it harmless...

   My read leads to the same conclusion.

>>   This also nominally affects GET, when I'm rendering a directory  
>> listing of the parent.  I'd like to show all children, but if you  
>> aren't allowed to see them in PROPFIND, it makes sense that they  
>> should be hidden from the rendered listing as well.
>
> Correct. I personally think they should appear in both, potentially  
> marked up as non-accessible (greyed out...).

   OK, that's where I was heading.  Cyrus had the same concern as  
Kevin; that the file name may itself contain sensitive information,  
and basically cited the same "FIRE-KEVIN.doc" example.  :-)  I'm  
willing to live with that, though; there is plenty of precedent there  
(eg. file systems).

   Thanks for the feedback.

	-wsv

Received on Friday, 1 December 2006 06:19:17 UTC