- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Wed, 02 Jul 2008 17:29:24 +0200
- To: Javier Godoy <rjgodoy@fich.unl.edu.ar>
- CC: Jim Davis <jrd3@alum.mit.edu>, www-webdav-dasl@w3.org
Javier Godoy wrote:
> ...
> [[
> A query must not allow one to retrieve information about values or
> existence of properties that one could not obtain via PROPFIND. (e.g.
> by use in DAV:orderby, or in expressions on properties.)
> ]]
>
> IMHO this should be an uppercase MUST NOT, in order to emphasize that
> SEARCH
> must comply with the Access Control Protocol (RFC 3744).
> (At least, the DAV:read privilege must be honored, as well as DAV:read-acl
> and DAV:read-current-user-privilege-set if DAV:acl is
> searchable/selectable/sortable.)
> ...
In the meantime, this says:
A query MUST NOT allow clients to retrieve information that wouldn't
have been available through the GET or PROPFIND methods in the first
place. In particular:
o Query constraints on WebDAV properties for which the client does
not have read access need to be evaluated as if the property did
not exist (see Section 5.5.3).
o Query constraints on content (as with DAV:contains, defined in
Section 5.16) for which the client does not have read access need
to be evaluated as if a GET would return a 4xx status code.
I'm not too enthusiastic to add more RFC3744 related language; after
all, some of the SEARCH implementations do not support RFC3744 anyway,
so it seems to be a better approach to describe this in terms of whether
the client is able to GET the content/PROPFIND a property (thus talk
about status codes, not RFC3744 privileges).
BR, Julian
Received on Wednesday, 2 July 2008 15:30:15 UTC