- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Fri, 12 Jan 2007 10:09:41 +0100
- To: Tim Olsen <tolsen718@gmail.com>
- CC: w3c-dist-auth@w3.org
Tim Olsen schrieb: >> I'm tempted to say "edge case", thus it depends. >> >> A server could allow the BIND, but that wouldn't affect the permissions, >> thus the resource wouldn't suddenly become writable by somebody else. >> >> Or it could reject the request. >> >> The important thing here is that the BIND request can't be used work >> around the security model, which seems be the case in both cases. > > > But if the server allows the BIND then the user can exclusively lock > any resource just by binding it under a locked collection that he or > she owns. Maybe it's best then to require DAV:write-content as well > ... Yep. I know that some people will say "interop" problem, so some more thoughts on this: - As long as the server's behaviour doesn't cause a security problem, it's IMHO fine. - If the request fails, the response body will tell the client why it didn (if compliant with RFC3744). - Finally, this really has nothing to do with BIND. Replace BIND with MOVE and the same issue surfaces. Best regards, Julian
Received on Friday, 12 January 2007 09:09:54 UTC