- From: Tim Olsen <tolsen718@gmail.com>
- Date: Thu, 11 Jan 2007 19:15:38 -0500
- To: "Julian Reschke" <julian.reschke@gmx.de>
- Cc: w3c-dist-auth@w3.org
On 1/11/07, Julian Reschke <julian.reschke@gmx.de> wrote: > Tim Olsen schrieb: > > > > Hi, > > > > Let's say a user has an infinite-depth lock on collection C. There is > > a resource R under a different collection for which the user does not > > have DAV:write-content permission on (which is normally needed to > > perform LOCK on). Can the user BIND the resource R under C (thereby > > having R inherit the lock) with only DAV:bind permission on C? Or is > > DAV:write-content permission also required on R ? > > I'm tempted to say "edge case", thus it depends. > > A server could allow the BIND, but that wouldn't affect the permissions, > thus the resource wouldn't suddenly become writable by somebody else. > > Or it could reject the request. > > The important thing here is that the BIND request can't be used work > around the security model, which seems be the case in both cases. But if the server allows the BIND then the user can exclusively lock any resource just by binding it under a locked collection that he or she owns. Maybe it's best then to require DAV:write-content as well -Tim > > Best regards, Julian >
Received on Friday, 12 January 2007 00:15:43 UTC