On Nov 30, 2006, at 12:32 AM, Julian Reschke wrote: >> I obviously shouldn't be able to read (all of?) the child's >> properties, but there is some merit to wanting to be able to see >> that the child's URI is present, even if I can't read the child's >> properties > > Right. > >> or content. I might even want to expose the DAV:resource-type >> property so you can tell if it's a collection, etc. > > I don't think RFC3744 would allow the latter, even though I would > consider it harmless... My read leads to the same conclusion. >> This also nominally affects GET, when I'm rendering a directory >> listing of the parent. I'd like to show all children, but if you >> aren't allowed to see them in PROPFIND, it makes sense that they >> should be hidden from the rendered listing as well. > > Correct. I personally think they should appear in both, potentially > marked up as non-accessible (greyed out...). OK, that's where I was heading. Cyrus had the same concern as Kevin; that the file name may itself contain sensitive information, and basically cited the same "FIRE-KEVIN.doc" example. :-) I'm willing to live with that, though; there is plenty of precedent there (eg. file systems). Thanks for the feedback. -wsv
Received on Friday, 1 December 2006 06:19:17 UTC