Thanks for the response.
Julian Reschke wrote:
* Return 405 Method Not Allowed, and indicate in the "Allow" response
header the methods that this particular authenticated user is allowed
to perform. (i.e. Allow: GET)
The description for 405 is not very clear, but the one for "Allow" is
(IMHO):
"The Allow entity-header field lists the set of methods supported by the
resource identified by the Request-URI." --
<http://greenbytes.de/tech/webdav/rfc2616.html#rfc.section.14.7>
So no, this doesn't fit.
So I guess the thought here is that the text says "methods supported"
rather than "methods allowed", which implies that it is not user-sensitive.
If Allow is not supposed to reflect the access rights of the remote
user, can you suggest an alternative mechanism by which I can tell the
client "You can GET but you don't have access to PUT or DELETE?"
(Currently I'm using "Allow" for this, but now that you've called out
that specific sentence I agree that it does not seem to be intended to
reflect access rights.)
The need is letting user-agents that retrieve the resource know ahead of
time that a PUT or DELETE will not be allowed so that the UI can reflect
this, for example by displaying a "Read-only" indicator and disabling
the "Save" button.
