'owner' in dav LOCK request. (Julian Reschke, you out there?)

I'm confused about the WebDAV spec (rfc 2518), specifically in regard
to how the 'owner' field works in LOCK requests.

According to the rfc, the 'owner' field of a dav lock is completely
optional. It might or might not be in the body of a LOCK request.
And if it's present, it seems to bear no relationship to
authentication or lock enforcement. The rfc descibes it as just a
piece of optional metadata -- like, somebody to phone when you want to
talk about locking out-of-band.

As a real-world example of this, I notice that my Mac does basic http
authentication when mounting a DAV share, but in its LOCK requests the
owner is always "default-owner".

I'm worried, because this doesn't mesh with Subversion's locking
semantics at all. To make use of a lock, Subversion requires *both*
the lock-token (which is publically available) AND that the user be
authenticated as the lock's owner.

If WebDAV doesn't have this same double-authentication requirement,
then I don't understand how locks are supposed to be enforced:

   User A authenticates, does a LOCK, gets a token.
   User B authenticates, does a PROPFIND, discovers the token.
   User B then does a PUT using the token.

What's the point of locking something if there's no
authentication/owner enforcement? It like locking the door, and then
leaving the key taped to the door.

Maybe I misunderstand what's going on here. Julian, can you clarify?

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Wed Dec 1 21:58:50 2004