[prev in list] [next in list] [prev in thread] [next in thread]
List: slide-dev
Subject: Re: Inconsistencies in Webdav Access Control
From: "Remy Maucherat" <rmaucher1 () home ! com>
Date: 2001-09-26 21:31:13
[Download RAW message or body]
> Raj Kumar wrote:
>
> > hi dirk,
> > I found the following inconsistencies in the implementation of the
webdav
> > Access Control Protocol.
> >
> > 1) Both "current-user-privilege-set" and "acl" properties on some
resources
> > returns the privilege DAV:all but the specification says that only
> > non-abstract privileges from the DAV:supported-privilege-set property
should
> > be returned(Section 5.3 last para).Hence the DAV:all privilege should
never
> > be returned for both acl and current-user-privilege set properties since
> > DAV:all is returned as an abstract privilege in the
supported-privilege-set
> > property.
> > 2)The acl method on resources must only contain non-abstract elements
> > specified in the DAV:supported-privilege-set of that resource.But the
acl
> > method is currently allowing setting of the privileges which are not
even
> > there in the supported-privilege-set property of the resource like
> > "read-revision-content", "read-revision-metadata", "grant-permission"
and
> > non-abstract privileges like DAV:all etc.
> > (Section 5.4.2)
> > 3) The propfind method implementation for a request on a resource for
the
> > "acl" property is inconsistent with the ACl method implementation .
For
> > example in the propfind implementation a principal is considered to have
> > "read" privilege only if
> > he has "readObject","readRevisionMetadata" ,"readRevisionContent"
privileges
> > used in slide.
> > boolean canRead = readObject && readRevisionMetadata &&
> > readRevisionContent;
> >
> > But the acl method implementation for "read" privilege request for a
> > principal grants "readObject","readRevisionMetadata",
> > "readRevisionContent" and also "readLocks" .Similarily for the "write"
> > privilege the principal is granted 8 privileges in slide in the acl
method
> > implementation but the propfind method request for the "acl" property
> > returns "write" only if the principal has ten slide privileges.
> > boolean canWrite = createObject && removeObject && lockObject
> > && readLocks && createRevisionMetadata
> > && modifyRevisionMetadata && removeRevisionMetadata
> > && createRevisionContent && modifyRevisionContent
> > && removeRevisionContent;
> >
> > thanks,
> > rajkumar
>
> I'll make DAV:all not-abstract (to support "grant all to user")
> and put a restriction on the use of the other privileges.
> Item 3, I have to look at the code but for the moment I don't have the
time,
> maybe next week.
Ok, I'll take care of that one then.
Remy
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic