Re: Users with different access rights in HTTP Authentication

Thanks for the response.

Julian Reschke wrote:
>>
>> * Return 405 Method Not Allowed, and indicate in the "Allow" response 
>> header the methods that this particular authenticated user is allowed 
>> to perform. (i.e. Allow: GET)
> 
> The description for 405 is not very clear, but the one for "Allow" is 
> (IMHO):
> 
> "The Allow entity-header field lists the set of methods supported by the 
> resource identified by the Request-URI." -- 
> <http://greenbytes.de/tech/webdav/rfc2616.html#rfc.section.14.7>
> 
> So no, this doesn't fit.
> 

So I guess the thought here is that the text says "methods supported" 
rather than "methods allowed", which implies that it is not user-sensitive.

If Allow is not supposed to reflect the access rights of the remote 
user, can you suggest an alternative mechanism by which I can tell the 
client "You can GET but you don't have access to PUT or DELETE?"

(Currently I'm using "Allow" for this, but now that you've called out 
that specific sentence I agree that it does not seem to be intended to 
reflect access rights.)

The need is letting user-agents that retrieve the resource know ahead of 
time that a PUT or DELETE will not be allowed so that the UI can reflect 
this, for example by displaying a "Read-only" indicator and disabling 
the "Save" button.

Received on Saturday, 21 February 2009 18:33:28 UTC