Mr. Demeanour wrote:
> Hi,
>
> The UNLOCK method requires the <unlock/>
privilege, unless the user is
> the owner of the lock, in which case no privilege is
required (just the
> lock token).
Yes.
> How is it possible to tell whether the owner of a lock
is the current
> user? If the user is authenticated, then he is a
principal; but there is
> nothing to link the owner of a lock to a principal,
since the <owner>
> element is defined to contain an arbitrary string.
Yes. What you're looking for is the *creator* of the lock
(<http://greenbytes.de/tech/
webdav/draft-ietf-webdav-rfc2518bis-18.html#lock-creator>
),
which is not exposed with the lock.
> So is it intended that the <owner> for a lock is
simply anyone who has a
> copy of the token? But anyone can get the token, just
by doing
> lockdiscovery.
No, that's not the intention.
> So when is the <unlock/> privilege required? Does
any existing server
> enforce the <unlock/> privilege?
The one we wrote certainly does, and I expect the same
applies to many
others.
How is this a problem?
Best regards, Julian
|
