RFC Compliance/WebDAV ACL

From Davical
Jump to: navigation, search
Help
Available languages

Covering the RFC3744{{#if:WebDAV Access Control Protocol|:  |}}WebDAV Access Control Protocol points in detail and listing where DAViCal is believed to be in compliance with the specification.

Overview

The most urgent change needed for support of RFC3744 is support for the ACL method.

Details of Unsupported Features

Section Feature Requirement Status as at 0.9.8
2. expose principal resources at an http(s) URL, which is a privileged scheme that points to resources that have additional properties, as described in Section 4 MUST Supported
3. Ability to perform a given method on a resource MUST be controlled by one or more privileges. MUST Supported
3. A principal with no privileges to a resource MUST be denied any HTTP access to that resource, unless the principal matches an ACE constructed using the DAV:all, DAV:authenticated, or DAV:unauthenticated pseudo-principals (see Section 5.5.1). MUST Supported
3. Servers MUST report a 403 "Forbidden" error if access is denied, except in the case where the privilege restricts the ability to know the resource exists, in which case 404 "Not Found" may be returned. MUST Supported
3. Privilege containment loops are not allowed; therefore, a privilege MUST NOT contain itself. MUST Supported
3. Privileges defined by individual implementations MUST NOT use the DAV: namespace, and instead should use a namespace that they control, such as an http scheme URL. MUST NOT Supported
3.1. the read privilege MUST control the OPTIONS method. MUST :  |}})
3.5. Any privilege controlling access by non-lock owners to UNLOCK MUST be aggregated under DAV:unlock. MUST Supported
3.12. Aggregation of Predefined Privileges MUST Supported
4. A principal MUST have a non-empty DAV:displayname property, and a DAV:resourcetype property. Additionally, a principal MUST report the DAV:principal XML element in the value of the DAV:resourcetype property. MUST Supported
4.1. Support for the alternate-URI-set property is REQUIRED, and the value is empty if no alternate URI exists for the principal. MUST :  |}})
4.2. Support for the principal-URL property is REQUIRED. MUST Supported
4.3. A URL in the DAV:group-member-set for a principal MUST be the DAV:principal-URL of that principal. MUST Supported
4.4. Support for the group-membership property is REQUIRED. MUST Supported
5. HTTP resources that support the WebDAV Access Control Protocol MUST contain the following properties:
  • DAV:owner
  • DAV:group
  • DAV:supported-privilege-set
  • DAV:current-user-privilege-set
  • DAV:acl
  • DAV:acl-restrictions
  • DAV:inherited-acl-set
  • DAV:principal-collection-set

Null resources (described in RFC4918{{#if:WebDAV|:  |}}WebDAV) MUST NOT contain these properties.

MUST Supported
5.3. An abstract privilege MUST NOT be used in an ACE for that resource. MUST NOT Needs to be confirmed.
5.3. Servers MUST fail an attempt to set an abstract privilege. MUST :  |}}awaiting proper ACL support)
5.3. Servers MUST indicate the human language of the description using the xml:lang attribute MUST :  |}})
5.4. Each element in the DAV:current-user-privilege-set property MUST identify a non-abstract privilege from the DAV:supported-privilege-set property. MUST Supported
5.5.2. A DAV:grant or DAV:deny element of the DAV:acl of a resource MUST only contain non-abstract elements specified in the DAV:supported-privilege-set of that resource. MUST Client
5.5.3. If the ACL of a resource contains an ACE with a DAV:protected element, an attempt to remove that ACE from the ACL MUST fail. MUST :  |}})
7.1.1. If an HTTP method fails due to insufficient privileges, the response body to the "403 Forbidden" error MUST contain the <DAV:error> element, which in turn contains the <DAV:need-privileges> element, which contains one or more <DAV:resource> elements indicating which resource had insufficient privileges, and what the lacking privileges were. MUST :  |}}REPORT, PROPFIND, PROPPATCH, UNLOCK, PUT)
7.2. If the server supports access control, it MUST return "access-control" as a field in the DAV response header from an OPTIONS request on any resource implemented by that server. MUST Supported
7.2. A value of "access-control" in the DAV header MUST indicate that the server supports all MUST level requirements and REQUIRED features in this RFC. MUST :  |}})
7.3. When a resource is moved from one location to another due to a MOVE request, the non-inherited and non-protected ACEs in the DAV:acl property of the resource MUST NOT be modified, or the MOVE request fails. MUST Supported
7.4. The DAV:acl property on the resource at the destination of a COPY MUST be the same as if the resource was created by an individual resource creation request (e.g., MKCOL, PUT). MUST :  |}}) (COPY is not yet supported.
8.1. An ACL request body MUST contain only one DAV:acl XML element. MUST Supported - client issue.
8.1. The ACL request MUST fail if the non-inherited and non-protected ACEs of the DAV:acl property of the resource cannot be updated to be exactly the value specified in the ACL request. MUST :  |}}) (ACL is not yet supported.
8.1.1. An implementation MUST enforce the following constraints on an ACL request. If the constraint is violated, a 403 (Forbidden) or 409 (Conflict) response MUST be returned and the indicated XML element MUST be returned as a child of a top level DAV:error element in an XML response body:
  • DAV:no-ace-conflict
  • DAV:no-protected-ace-conflict
  • DAV:no-inherited-ace-conflict
  • DAV:limited-number-of-aces
  • DAV:deny-before-grant
  • DAV:grant-only
  • DAV:no-invert
  • DAV:no-abstract
  • DAV:not-supported-privilege
  • DAV:missing-required-principal
  • DAV:recognized-principal
  • DAV:allowed-principal
MUST :  |}}) (ACL is not yet supported.
8.1.1. DAV:no-ace-conflict MUST :  |}})
8.1.1. DAV:no-protected-ace-conflict MUST :  |}})
8.1.1. DAV:no-inherited-ace-conflict MUST :  |}})
8.1.1. DAV:limited-number-of-aces MUST :  |}})
8.1.1. DAV:deny-before-grant MUST :  |}})
8.1.1. DAV:grant-only MUST :  |}})
8.1.1. DAV:no-invert MUST :  |}})
8.1.1. DAV:no-abstract MUST :  |}})
8.1.1. DAV:not-supported-privilege MUST :  |}})
8.1.1. DAV:missing-required-principal MUST :  |}})
8.1.1. DAV:recognized-principal MUST :  |}})
8.1.1. DAV:allowed-principal MUST :  |}})
9.1. A server that supports the WebDAV Access Control Protocol MUST support the DAV:expand-property report. MUST Supported
9.2. Support for the acl-principal-prop-set report is REQUIRED. MUST :  |}})
9.3. Support for the principal-match report is REQUIRED. MUST :  |}})
9.4. Support for the principal-property-search report is REQUIRED. MUST Supported
9.5. Support for the principal-search-property-set report is REQUIRED. MUST Supported

Notes:

  • DAViCal should respond to acl-restrictions as follows, at least initially:
<DAV::acl-restrictions>
 <DAV::grant-only/>
 <DAV::no-invert/>
</DAV::acl-restrictions>