[prev in list] [next in list] [prev in thread] [next in thread] 

List:       slide-dev
Subject:    Re: Inconsistencies in  Webdav Access Control
From:       "Remy Maucherat" <rmaucher1 () home ! com>
Date:       2001-09-26 21:31:13
[Download RAW message or body]

> Raj Kumar wrote:
>
> > hi dirk,
> >    I found the following inconsistencies in the implementation of the
webdav
> > Access Control Protocol.
> >
> >  1) Both "current-user-privilege-set" and "acl" properties on some
resources
> > returns the privilege DAV:all but the specification says that  only
> > non-abstract privileges from the DAV:supported-privilege-set property
should
> > be returned(Section 5.3 last para).Hence the DAV:all privilege should
never
> > be returned for both acl and current-user-privilege set properties since
> > DAV:all is returned as an abstract privilege in the
supported-privilege-set
> > property.
> > 2)The acl method on resources must only contain non-abstract elements
> > specified in the DAV:supported-privilege-set of that resource.But the
acl
> > method is currently allowing setting of the privileges which are not
even
> > there in the supported-privilege-set property of the resource like
> > "read-revision-content", "read-revision-metadata", "grant-permission"
and
> > non-abstract privileges like DAV:all etc.
> > (Section 5.4.2)
> > 3) The propfind method implementation for a request on a resource for
the
> > "acl" property is inconsistent with the ACl method implementation .
For
> > example in the propfind implementation a principal is considered to have
> > "read" privilege only if
> > he has "readObject","readRevisionMetadata" ,"readRevisionContent"
privileges
> > used in slide.
> >     boolean canRead = readObject && readRevisionMetadata &&
> > readRevisionContent;
> >
> > But the acl method implementation for "read" privilege request for a
> > principal grants "readObject","readRevisionMetadata",
> > "readRevisionContent" and also "readLocks" .Similarily for the "write"
> > privilege the principal is granted 8 privileges in slide in the acl
method
> > implementation but the propfind method request for the "acl" property
> > returns "write" only if the principal has ten slide privileges.
> >     boolean canWrite = createObject && removeObject && lockObject
> >                 && readLocks && createRevisionMetadata
> >                 && modifyRevisionMetadata && removeRevisionMetadata
> >                 && createRevisionContent && modifyRevisionContent
> >                 && removeRevisionContent;
> >
> >     thanks,
> >     rajkumar
>
> I'll make DAV:all not-abstract (to support "grant all to user")
> and put a restriction on the use of the other privileges.
> Item 3, I have to look at the code but for the moment I don't have the
time,
> maybe next week.

Ok, I'll take care of that one then.

Remy

[prev in list] [next in list] [prev in thread] [next in thread]