hi dirk,
They still seem to some inconsistencies in the implementation of the
Webdav Access Control Extensions.
-The privilege DAV:all is still defined as abstract but the AclMethod is
allowing the DAV:all privilege to be
granted/denied.
-The AclMethod is still allowing granting of privileges
PRIVILEGE_READ_REVISION_METADATA,
PRIVILEGE_READ_REVISION_CONTENT which are not present in the privileges
set returned by supported-privileges(Only
all,read,write,read-acl,write-acl are present).
- The aclmethod and the propfind methods still differ regarding their
interpretation of the write privilege.
The aclmethod for write privilege does not seem to be granting/denying
removeRevisionContent privilege in slide.
thanks,
rajkumar
-----Original Message-----
From: Dirk Verbeeck [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, September 26, 2001 1:33 PM
To: [EMAIL PROTECTED]
Subject: Re: Inconsistencies in Webdav Access Control
Raj Kumar wrote:
> hi dirk,
> I found the following inconsistencies in the implementation of the
webdav
> Access Control Protocol.
>
> 1) Both "current-user-privilege-set" and "acl" properties on some
resources
> returns the privilege DAV:all but the specification says that only
> non-abstract privileges from the DAV:supported-privilege-set property
should
> be returned(Section 5.3 last para).Hence the DAV:all privilege should
never
> be returned for both acl and current-user-privilege set properties since
> DAV:all is returned as an abstract privilege in the
supported-privilege-set
> property.
> 2)The acl method on resources must only contain non-abstract elements
> specified in the DAV:supported-privilege-set of that resource.But the acl
> method is currently allowing setting of the privileges which are not even
> there in the supported-privilege-set property of the resource like
> "read-revision-content", "read-revision-metadata", "grant-permission" and
> non-abstract privileges like DAV:all etc.
> (Section 5.4.2)
> 3) The propfind method implementation for a request on a resource for the
> "acl" property is inconsistent with the ACl method implementation . For
> example in the propfind implementation a principal is considered to have
> "read" privilege only if
> he has "readObject","readRevisionMetadata" ,"readRevisionContent"
privileges
> used in slide.
> boolean canRead = readObject && readRevisionMetadata &&
> readRevisionContent;
>
> But the acl method implementation for "read" privilege request for a
> principal grants "readObject","readRevisionMetadata",
> "readRevisionContent" and also "readLocks" .Similarily for the "write"
> privilege the principal is granted 8 privileges in slide in the acl method
> implementation but the propfind method request for the "acl" property
> returns "write" only if the principal has ten slide privileges.
> boolean canWrite = createObject && removeObject && lockObject
> && readLocks && createRevisionMetadata
> && modifyRevisionMetadata && removeRevisionMetadata
> && createRevisionContent && modifyRevisionContent
> && removeRevisionContent;
>
> thanks,
> rajkumar
I'll make DAV:all not-abstract (to support "grant all to user")
and put a restriction on the use of the other privileges.
Item 3, I have to look at the code but for the moment I don't have the time,
maybe next week.
Best Regards
Dirk
