- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Wed, 02 Jul 2008 17:29:24 +0200
- To: Javier Godoy <rjgodoy@fich.unl.edu.ar>
- CC: Jim Davis <jrd3@alum.mit.edu>, www-webdav-dasl@w3.org
Javier Godoy wrote: > ... > [[ > A query must not allow one to retrieve information about values or > existence of properties that one could not obtain via PROPFIND. (e.g. > by use in DAV:orderby, or in expressions on properties.) > ]] > > IMHO this should be an uppercase MUST NOT, in order to emphasize that > SEARCH > must comply with the Access Control Protocol (RFC 3744). > (At least, the DAV:read privilege must be honored, as well as DAV:read-acl > and DAV:read-current-user-privilege-set if DAV:acl is > searchable/selectable/sortable.) > ... In the meantime, this says: A query MUST NOT allow clients to retrieve information that wouldn't have been available through the GET or PROPFIND methods in the first place. In particular: o Query constraints on WebDAV properties for which the client does not have read access need to be evaluated as if the property did not exist (see Section 5.5.3). o Query constraints on content (as with DAV:contains, defined in Section 5.16) for which the client does not have read access need to be evaluated as if a GET would return a 4xx status code. I'm not too enthusiastic to add more RFC3744 related language; after all, some of the SEARCH implementations do not support RFC3744 anyway, so it seems to be a better approach to describe this in terms of whether the client is able to GET the content/PROPFIND a property (thus talk about status codes, not RFC3744 privileges). BR, Julian
Received on Wednesday, 2 July 2008 15:30:15 UTC