Martin Atkins wrote:
* Return 405 Method Not Allowed, and indicate in the "Allow" response
header the methods that this particular authenticated user is allowed
to perform. (i.e. Allow: GET)
The description for 405 is not very clear, but the one for "Allow" is
(IMHO):
"The Allow entity-header field lists the set of methods supported by
the resource identified by the Request-URI." --
<http://greenbytes.de/tech/webdav/rfc2616.html#rfc.section.14.7>
So no, this doesn't fit.
So I guess the thought here is that the text says "methods supported"
rather than "methods allowed", which implies that it is not user-sensitive.
Yes.
If Allow is not supposed to reflect the access rights of the remote
user, can you suggest an alternative mechanism by which I can tell the
client "You can GET but you don't have access to PUT or DELETE?"
You mean, without trying? RFC 3744 is one potential answer, if you can
accept a WebDAV basis.
...
BR, Julian
