- From: Martin Atkins <mart@degeneration.co.uk>
- Date: Sat, 21 Feb 2009 10:28:10 -0800
- To: www-talk@w3.org
- CC: Julian Reschke <julian.reschke@gmx.de>
Thanks for the response. Julian Reschke wrote: >> >> * Return 405 Method Not Allowed, and indicate in the "Allow" response >> header the methods that this particular authenticated user is allowed >> to perform. (i.e. Allow: GET) > > The description for 405 is not very clear, but the one for "Allow" is > (IMHO): > > "The Allow entity-header field lists the set of methods supported by the > resource identified by the Request-URI." -- > <http://greenbytes.de/tech/webdav/rfc2616.html#rfc.section.14.7> > > So no, this doesn't fit. > So I guess the thought here is that the text says "methods supported" rather than "methods allowed", which implies that it is not user-sensitive. If Allow is not supposed to reflect the access rights of the remote user, can you suggest an alternative mechanism by which I can tell the client "You can GET but you don't have access to PUT or DELETE?" (Currently I'm using "Allow" for this, but now that you've called out that specific sentence I agree that it does not seem to be intended to reflect access rights.) The need is letting user-agents that retrieve the resource know ahead of time that a PUT or DELETE will not be allowed so that the UI can reflect this, for example by displaying a "Read-only" indicator and disabling the "Save" button.
Received on Saturday, 21 February 2009 18:33:28 UTC