On 17.01.2012 20:54, Johan Corveleyn wrote: > But, but ... if you're able to checkout ^/foo/bar/baz, then you > already know that foo and foo/bar In the ACL world, there is a difference between "lookup" and "read" access. In your example, the user has permission to lookup ^/foo and ^/foo/bar, but not to read them; whereas she can read ^/foo/bar/baz.
"Lookup" implies that you can perform operations on the node's descendants (based on their access flags), but not access the node's properties -- and that includes not allowing directory enumeration. In other words, "lookup" access on ^/foo/bar means that you may be able to open(^/foo/bar/baz) if you have appropriate access to .../baz, but not readdir(^/foo/bar) == so someone has to tell you that ^/foo/bar/baz exists since you can't discover that by walking down the directory tree. Some models always allow lookup, others allow you to turn it off. It all depends on how many non-obvious edge cases you want to introduce in your ACL model. :) -- Brane
