- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Thu, 11 Jan 2007 22:53:46 +0100
- To: Tim Olsen <tolsen718@gmail.com>
- CC: w3c-dist-auth@w3.org
Tim Olsen schrieb: > > Hi, > > Let's say a user has an infinite-depth lock on collection C. There is > a resource R under a different collection for which the user does not > have DAV:write-content permission on (which is normally needed to > perform LOCK on). Can the user BIND the resource R under C (thereby > having R inherit the lock) with only DAV:bind permission on C? Or is > DAV:write-content permission also required on R ? I'm tempted to say "edge case", thus it depends. A server could allow the BIND, but that wouldn't affect the permissions, thus the resource wouldn't suddenly become writable by somebody else. Or it could reject the request. The important thing here is that the BIND request can't be used work around the security model, which seems be the case in both cases. Best regards, Julian
Received on Thursday, 11 January 2007 21:53:52 UTC