Hi Jan, the ACL standard does just define the owner as a protected property, which marks it as not changeable by PropPatch. But however, under 5.1 (draft-ietf-webdav-acl-08) the standard says that the owner could have special access control capabilities like the Dav:write-acl privelege. If such a right would be assigned to the owner property, a not Dav:write-acl but Dav:write authorized principal could give himself the Dav:write-acl right by just doing an update. This would open a security hole.
regards, Peter > -----Original Message----- > From: Jan Wrang [mailto:[EMAIL PROTECTED]] > Sent: Friday, May 17, 2002 10:46 > To: [EMAIL PROTECTED] > Subject: bugfix for webdav method PUT > > > Hi, > > I have a suggestion for a change in the code in PutMethod.java > > (I have found this 'feature' in SLIDE_1_0_16, and haven't > checked the head branch..) > > In a normal update of a file, I suggest adding the following > line of code: > > revisionDescriptor.setOwner(slideToken.getCredentialsToken().g > etPublicCredentials()); > > This has influence in two areas: > 1. When one user saves a file to slide and another user > updates the file later on, Author isn't updated. > 2. When a new file is added to slide by doing a "save as" in > MS Word, owner isn't added to this file in > the database - when the above code is missing. > > Best regards, > > Jan > -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
