- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Mon, 28 May 2007 19:48:52 +0200
- To: "Mr. Demeanour" <mrdemeanour@jackpot.uk.net>
- CC: acl@webdav.org, WebDAV <w3c-dist-auth@w3.org>
Mr. Demeanour wrote: > Hi, > > The UNLOCK method requires the <unlock/> privilege, unless the user is > the owner of the lock, in which case no privilege is required (just the > lock token). Yes. > How is it possible to tell whether the owner of a lock is the current > user? If the user is authenticated, then he is a principal; but there is > nothing to link the owner of a lock to a principal, since the <owner> > element is defined to contain an arbitrary string. Yes. What you're looking for is the *creator* of the lock (<http://greenbytes.de/tech/webdav/draft-ietf-webdav-rfc2518bis-18.html#lock-creator>), which is not exposed with the lock. > So is it intended that the <owner> for a lock is simply anyone who has a > copy of the token? But anyone can get the token, just by doing > lockdiscovery. No, that's not the intention. > So when is the <unlock/> privilege required? Does any existing server > enforce the <unlock/> privilege? The one we wrote certainly does, and I expect the same applies to many others. How is this a problem? Best regards, Julian
Received on Monday, 28 May 2007 17:49:21 UTC