- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Sat, 21 Feb 2009 20:24:38 +0100
- To: Martin Atkins <mart@degeneration.co.uk>
- CC: www-talk@w3.org
Martin Atkins wrote: >>> * Return 405 Method Not Allowed, and indicate in the "Allow" response >>> header the methods that this particular authenticated user is allowed >>> to perform. (i.e. Allow: GET) >> >> The description for 405 is not very clear, but the one for "Allow" is >> (IMHO): >> >> "The Allow entity-header field lists the set of methods supported by >> the resource identified by the Request-URI." -- >> <http://greenbytes.de/tech/webdav/rfc2616.html#rfc.section.14.7> >> >> So no, this doesn't fit. >> > > So I guess the thought here is that the text says "methods supported" > rather than "methods allowed", which implies that it is not user-sensitive. Yes. > If Allow is not supposed to reflect the access rights of the remote > user, can you suggest an alternative mechanism by which I can tell the > client "You can GET but you don't have access to PUT or DELETE?" You mean, without trying? RFC 3744 is one potential answer, if you can accept a WebDAV basis. > ... BR, Julian
Received on Saturday, 21 February 2009 19:25:27 UTC