subversion-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Konstantin Kolinko <knst.koli...@gmail.com>
Subject Re: serf error handling for locks without authn
Date Tue, 04 Jun 2013 00:24:29 GMT
2013/6/4 Greg Stein <gstein@gmail.com>:
> On Mon, Jun 3, 2013 at 7:10 PM, Greg Stein <gstein@gmail.com> wrote:
>> On Mon, Jun 3, 2013 at 6:48 PM, Ben Reser <ben@reser.org> wrote:
>>...
>>> I'd argue that we should return a 500 range error since the problem
>>> here is that the server is not properly configured.  There is really
>>
>> Nah. 500 means there is nothing the client can do, which isn't quite
>> accurate. A client *could* go ahead and fill in an Authorization:
>> header. (tho I don't know if Apache will parse it, without a config
>> there)
>>
>>> nothing a client can do to resolve the issue other than to
>>> authenticate, which our client is only going to do if the server is
>>> setup properly.  So I'd vote for returning HTTP_INTERNAL_SERVER_ERROR.
>
> On IRC, Ben and I tossed this around. The short answer is "the server
> is not configured to allow a LOCK operation." 501 (Not Implemented)
> states it is an appropriate status when the server is unable to
> support the request method.
>
> We can also adjust the error string in append_locks() to something like:
>   "Anonymous lock creation is not allowed. The server configuration
> will not allow a LOCK."
>
> That points to the configuration problem. And the 501 is pretty darned
> close to what we want.
>
> As Ben noted on IRC, a 4xx response implies the client got something
> wrong. The root problem is on the server, and that implies a 5xx
> response.
>

If you are considering 501 then there also exists 405 Method Not Allowed
An implementation difference though is that 405 must be accompanied by
an Allow header.

Difference between 405 and 501 is also specified in ch.5.1.1 of RFC
2616 (HTTP/1.1),
Quoting from there:
[[[
   The list of methods allowed by a resource can be specified in an
   Allow header field (section 14.7). The return code of the response
   always notifies the client whether a method is currently allowed on a
   resource, since the set of allowed methods can change dynamically. An
   origin server SHOULD return the status code 405 (Method Not Allowed)
   if the method is known by the origin server but not allowed for the
   requested resource, and 501 (Not Implemented) if the method is
   unrecognized or not implemented by the origin server.
]]]

On a generic HTTP server if authentication is required but is not configured
I would consider returning 403.
I do not know whether that would work for Subversion in this case though.

Best regards,
Konstantin Kolinko

Mime
View raw message