Hello, I have a question regarding the behavior of locked resources.
consider the following test case:
1 user A creates a file in /DAV/test 2 user A locks it 3 user B tries to unlock (providing a lock token via Lock-Token-header) 4 user B tries to put 5 user B tries to put (providing a lock token via If-header) 6 user B tries to delete 7 user B tries to delete (providing a lock token via If-header)
Is it right to expect that all requests of user B should fail with "Locked" or "Forbidden" or something else?
If so, my problem is that step 5 and 7 in my configuration does not fail. I.e. an other user that gets the locktoken can write on the locked file! I attach a testcase which executes this testcase.
Can anybody help me?
Thanks in advance, Stefan
p.s.
I have the following permissions at /DAV/test where the locked resource resides.
ACL for /DAV/test/: ------------------------------------------------------------ granted to /DAV/roles/root (not protected) (inherited from '/DAV/') DAV:all denied to all (not protected) (inherited from '/DAV/') DAV:read-acl DAV:write-acl DAV:unlock granted to all (not protected) (inherited from '/DAV/') DAV:read granted to /DAV/roles/user (not protected) (inherited from '/DAV/') DAV:all ------------------------------------------------------------
-- +--------------------------------------------+ | | | Stefan L�tzkendorf | | | | Institut f�r Terminologie und | | angewandte Wissensforschung (itaw) GmbH | | | | Sitz: Georgenstr. 35 | | 10117 Berlin | | Tel.: ++49 (030) 30 86 20 84 | | Fax : ++49 (030) 30 86 20 87 | | | +--------------------------------------------+
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE test SYSTEM "../../../../Tprocessor.dtd">
<test>
<specification>
<abstract>Checks if a Lock properly denies write by others.</abstract>
<description>
%user% creates a file
%user% locks it
%user%2 tries to unlock (providing a lock token)
%user%2 tries to put
%user%2 tries to put (providing a lock token)
%user%2 tries to delete
%user%2 tries to delete (providing a lock token)
cleanup
</description>
<expectedResult>all steps by %user%2 should be denied</expectedResult>
</specification>
<step>
<request>
<command varUsage="globalVariableCollection,globalVariableServerName">MKCOL /%globalVariableServerName%/%globalVariableCollection%/test HTTP/1.1</command>
</request>
<response>
<command>HTTP/1.0 201 Created</command>
</response>
</step>
<step>
<request>
<command varUsage="globalVariableCollection,globalVariableServerName">PUT /%globalVariableServerName%/%globalVariableCollection%/test/help-doc.html HTTP/1.1</command>
<body fileReference="../../../contentDirectory/html.html" />
</request>
<response>
<command>HTTP/1.0 201 Created</command>
</response>
</step>
<step>
<request>
<command varUsage="globalVariableCollection,globalVariableServerName">LOCK /%globalVariableServerName%/%globalVariableCollection%/test/help-doc.html HTTP/1.1</command>
<header>Timeout: Second-86400</header>
<header>Content-Type: text/xml</header>
<body><![CDATA[<?xml version="1.0" encoding="utf-8"?>
<A:lockinfo xmlns:A="DAV:">
<A:locktype>
<A:write />
</A:locktype>
<A:lockscope>
<A:exclusive />
</A:lockscope>
<owner xmlns="DAV:">some owner</owner>
</A:lockinfo>
]]></body>
</request>
<response>
<command>HTTP/1.0 200 OK</command>
<body varUsage="globalVariableUserPath,globalVariableServerName,user,host" varDefinition="locktoken" varPath="prop/lockdiscovery/activelock/locktoken/href"><![CDATA[<?xml version="1.0" encoding="utf-8"?>
<d:prop xmlns:d="DAV:">
<d:lockdiscovery>
<d:activelock>
<d:locktype>
<d:write />
</d:locktype>
<d:lockscope>
<d:exclusive />
</d:lockscope>
<d:depth>infinity</d:depth>
<d:timeout>Second-86400</d:timeout>
<d:locktoken>
<d:href />
</d:locktoken>
<d:principal-URL>
<d:href>%globalVariableUserPath%</d:href>
</d:principal-URL>
<owner xmlns="DAV:">some owner</owner>
</d:activelock>
</d:lockdiscovery>
</d:prop>
]]></body>
</response>
</step>
<!-- an other user should not be able to UNLOCK -->
<step>
<user varUsage="user">%user%2</user>
<password varUsage="user">%user%2</password>
<request>
<command varUsage="globalVariableCollection,globalVariableServerName">UNLOCK /%globalVariableServerName%/%globalVariableCollection%/test/help-doc.html HTTP/1.1</command>
<header varUsage="locktoken"><![CDATA[Lock-Token: %locktoken%]]></header>
<header>Translate: f</header>
</request>
<response>
<command>HTTP/1.0 403 Forbidden</command>
</response>
</step>
<!-- an other user should not be able to PUT (without providing locktoken) -->
<step>
<user varUsage="user">%user%2</user>
<password varUsage="user">%user%2</password>
<request>
<command varUsage="globalVariableCollection,globalVariableServerName">PUT /%globalVariableServerName%/%globalVariableCollection%/test/help-doc.html HTTP/1.1</command>
<body fileReference="../../../contentDirectory/html.html" />
</request>
<response>
<command>HTTP/1.0 423 Locked</command>
</response>
</step>
<!-- an other user should not be able to PUT (with providing locktoken) -->
<step>
<user varUsage="user">%user%2</user>
<password varUsage="user">%user%2</password>
<request>
<command varUsage="globalVariableCollection,globalVariableServerName">PUT /%globalVariableServerName%/%globalVariableCollection%/test/help-doc.html HTTP/1.1</command>
<header varUsage="locktoken"><![CDATA[If: (<%locktoken%>)]]></header>
<body fileReference="../../../contentDirectory/html.html" />
</request>
<response>
<command>HTTP/1.0 423 Locked</command>
</response>
</step>
<!-- an other user should not be able to DELETE (without providing locktoken) -->
<step>
<user varUsage="user">%user%2</user>
<password varUsage="user">%user%2</password>
<request>
<command varUsage="globalVariableCollection,globalVariableServerName">DELETE /%globalVariableServerName%/%globalVariableCollection%/test/help-doc.html HTTP/1.1</command>
</request>
<response>
<command>HTTP/1.0 423 Locked</command>
</response>
</step>
<!-- an other user should not be able to DELETE (with providing locktoken) -->
<step>
<user varUsage="user">%user%2</user>
<password varUsage="user">%user%2</password>
<request>
<command varUsage="globalVariableCollection,globalVariableServerName">DELETE /%globalVariableServerName%/%globalVariableCollection%/test/help-doc.html HTTP/1.1</command>
<header varUsage="locktoken"><![CDATA[If: (<%locktoken%>)]]></header>
</request>
<response>
<command>HTTP/1.0 423 Locked</command>
</response>
</step>
<step>
<request>
<command varUsage="globalVariableCollection,globalVariableServerName">DELETE /%globalVariableServerName%/%globalVariableCollection%/test/help-doc.html HTTP/1.1</command>
<header varUsage="locktoken"><![CDATA[If: (<%locktoken%>)]]></header>
</request>
<response>
<command>HTTP/1.0 204 No Content</command>
</response>
</step>
<step>
<request>
<command varUsage="globalVariableCollection,globalVariableServerName">DELETE /%globalVariableServerName%/%globalVariableCollection%/test HTTP/1.1</command>
</request>
<response>
<command>HTTP/1.0 204 No Content</command>
</response>
</step>
</test>
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
