Awesome. I'll look into a way to fix this. We want to keep the behavior
it has now (generates a pretty html display) but need to change how it
gets its list of child resource.
-James
Andrey Shulinsky wrote:
Aha, you're absolutely right! I've completely forgotten about this
GET/PROPFIND difference.
About the code - WebdavServlet relies on its parent - HttpServlet - handle
GET request if it applies to a collection:
if ((methodName.equalsIgnoreCase("GET") ||
methodName.equalsIgnoreCase("POST")) &&
isCollection(req)) {
// let the standard doGet() / doPost() methods handle
// GET/POST requests on collections (to display a directory
// index pag or something similar)
super.service(req, resp);
}
So this "collection" case should have some special handling. Probably just
the substitution of the GET request by the PROPFIND will do the trick but I
can't tell for sure - I'm not an expert in their syntax.
Yours sincerely,
Andrey.
-----Original Message-----
From: Slide Users Mailing List [mailto:[EMAIL PROTECTED]
Sent: Monday, August 16, 2004 4:25 PM
To: [EMAIL PROTECTED]
Subject: Re: Why need read privilege on upstream folders to
achieve a writ e permission
Importance: Low
I would expect any WebDAV client to behave this way,
actually. A WebDAV client uses PROPFIND to get a list of the
children of a collection. A normal browser on the other hand
issues a GET. The problem here is the GET request is listing
all children rather than just the children the user has
access to. I consider this a security issue, albeit a minor one.
I'm having trouble tracking down how GETs are handled
specially for collections, so I'm hoping someone who's
familiar with the code will step in with a solution or at
least a pointer in the right direction.
-James
Andrey Shulinsky wrote:
Actually, it's not a big deal, although ideally all WebDAV clients
should work in the same way. I wish I had more time to help in
testing... For
now I
can say that MacOS WebDAV support is consistent with WebFolders in
handling
GET requests.
Yours sincerely,
Andrey.
You're right. It looks like this is a bug in the way GET
requests for
collections are handled. I'll look into this.
-James
Andrey Shulinsky wrote:
Hi, Warwick, James, everybody!
My 2 cents about the matter.
Just to clarify, your "traverse" permission *is* how the read
permission works on collections. If you get a list of the
children of
a collection you will only see the children to which you
have read
access as well.
It depends on the client, actually. WebFolders are OK, but IE, for
example,
shows all children - with 2.0, at least.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
