Well, my first answer was a little bit ... quick written.
As Carlos said, with security disabled anybody has the kill-lock permission.
The lock owner is the prinipal as that your are authneticated at the webapp.
So in addition to the first point with security disabled all users are treated as the single user "unauthenticated" so everybody is the lock owner and don't need "kill-lock".
But I observed a similar behavior with security _enabled_. You can delete resources that an other one has locked if you provide the lock token in the If header. That's invalid, I think, and that't I talk aboud in bug 30982.
An other point to mention. UNLOCK should not use the If header it must use the Lock-Token header to provide the lock token to be removed. What client do you use?
Cheers, Stefan
Warwick Burrows wrote:
Can any user unlock another user's locks? I didn't think that was valid. What I'm seeing in 2.1B1 is that any user (the default for the CLI being called "Slide") can unlock a lock owned by another user. I worked my way through the client piece of the puzzle and I see that it is setting the locktoken in the header of the unlock request. But I don't see where its setting the owner? eg.
to server ---------------------------------------------------
UNLOCK /slide/files/my%20stuff/outf HTTP/1.1
If: (<opaquelocktoken:600107b7c611f08d4bf10af71e6d3a3f>) User-Agent: Jakarta Commons-HttpClient/2.0rc3
Host: localhost:20080
Cookie: $Version=0; JSESSIONID=D1E5A4582544A30F431FFE72C628DEEB;
$Path=/slide
Content-Length: 0
Is it supposed to set the owner information in the request header so that the server knows who is trying to do the unlock and can compare it to the lock owner? I've still to look into the server side. I'm running my configuration with security disabled but locks enabled in slide.properties.
Thanks,
Warwick
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
