RFC Compliance/WebDAV ACL

From Davical
< RFC Compliance
Revision as of 12:25, 14 November 2009 by Karora (talk) (Details of Unsupported Features)
Jump to navigationJump to search

Covering the RFC3744{{#if:WebDAV Access Control Protocol|:  |}}WebDAV Access Control Protocol points in detail and listing where DAViCal is believed to be in compliance with the specification.

Overview

From Section 2 of the RFC:

In addition, a server:

  • SHOULD support the MKCALENDAR method defined in Section 5.3.1 of this document.

Details of Unsupported Features

Section Feature Requirement Status as at 0.9.8
2. expose principal resources at an http(s) URL, which is a privileged scheme that points to resources that have additional properties, as described in Section 4 MUST Supported
3. Ability to perform a given method on a resource MUST be controlled by one or more privileges. MUST Supported
3. A principal with no privileges to a resource MUST be denied any HTTP access to that resource, unless the principal matches an ACE constructed using the DAV:all, DAV:authenticated, or DAV:unauthenticated pseudo-principals (see Section 5.5.1). MUST Supported
3. Servers MUST report a 403 "Forbidden" error if access is denied, except in the case where the privilege restricts the ability to know the resource exists, in which case 404 "Not Found" may be returned. MUST Supported
3. Privilege containment loops are not allowed; therefore, a privilege MUST NOT contain itself. MUST Supported
3. Privileges defined by individual implementations MUST NOT use the DAV: namespace, and instead should use a namespace that they control, such as an http scheme URL. MUST NOT Supported
3.1. the read privilege MUST control the OPTIONS method. MUST :  |}})
3.5. Any privilege controlling access by non-lock owners to UNLOCK MUST be aggregated under DAV:unlock. MUST Supported
3.12. Aggregation of Predefined Privileges MUST Supported
4. A principal MUST have a non-empty DAV:displayname property, and a DAV:resourcetype property. Additionally, a principal MUST report the DAV:principal XML element in the value of the DAV:resourcetype property. MUST Supported
4.1. Support for the alternate-URI-set property is REQUIRED, and the value is empty if no alternate URI exists for the principal. MUST :  |}})
4.2. Support for the principal-URL property is REQUIRED. MUST Supported
4.3. A URL in the DAV:group-member-set for a principal MUST be the DAV:principal-URL of that principal. MUST Supported
4.4. Support for the group-membership property is REQUIRED. MUST Supported
5. HTTP resources that support the WebDAV Access Control Protocol MUST contain the following properties:
  • DAV:owner
  • DAV:group
  • DAV:supported-privilege-set
  • DAV:current-user-privilege-set
  • DAV:acl
  • DAV:acl-restrictions
  • DAV:inherited-acl-set
  • DAV:principal-collection-set

Null resources (described in RFC4918{{#if:WebDAV|:  |}}WebDAV) MUST NOT contain these properties.

MUST :  |}}) Partially supported - missing:
  • DAV:group
  • DAV:acl-restrictions
  • DAV:inherited-acl-set
  • DAV:principal-collection-set
5.3. An abstract privilege MUST NOT be used in an ACE for that resource. MUST NOT Needs to be confirmed.
5.3. Servers MUST fail an attempt to set an abstract privilege. MUST Needs to be confirmed.
5.3. Servers MUST indicate the human language of the description using the xml:lang attribute MUST :  |}})
5.4. Each element in the DAV:current-user-privilege-set property MUST identify a non-abstract privilege from the DAV:supported-privilege-set property. MUST Needs to be confirmed
5.5.2. A DAV:grant or DAV:deny element of the DAV:acl of a resource MUST only contain non-abstract elements specified in the DAV:supported-privilege-set of that resource. MUST Needs to be confirmed (client issue?)
5.5.3. If the ACL of a resource contains an ACE with a DAV:protected element, an attempt to remove that ACE from the ACL MUST fail. MUST :  |}})
7.1.1. If an HTTP method fails due to insufficient privileges, the response body to the "403 Forbidden" error MUST contain the <DAV:error> element, which in turn contains the <DAV:need-privileges> element, which contains one or more <DAV:resource> elements indicating which resource had insufficient privileges, and what the lacking privileges were. MUST :  |}})
7.2. If the server supports access control, it MUST return "access-control" as a field in the DAV response header from an OPTIONS request on any resource implemented by that server. MUST Needs to be confirmed (I believe so).
7.2. A value of "access-control" in the DAV header MUST indicate that the server supports all MUST level requirements and REQUIRED features in this RFC. MUST :  |}})
7.3. When a resource is moved from one location to another due to a MOVE request, the non-inherited and non-protected ACEs in the DAV:acl property of the resource MUST NOT be modified, or the MOVE request fails. MUST Supported
. The DAV:acl property on the resource at the destination of a COPY MUST be the same as if the resource was created by an individual resource creation request (e.g., MKCOL, PUT). MUST :  |}}) (COPY is not yet supported.
. MUST Supported
. MUST Supported
. MUST Supported
. MUST Supported
. MUST Supported
. MUST Supported

Notes:

  • DAViCal should respond to acl-restrictions as follows, at least initially:
<DAV::acl-restrictions>
 <DAV::grant-only/>
 <DAV::no-invert/>
</DAV::acl-restrictions>