Bug 30982

Summary: possible DELETE on a resource LOCKed by an other user
Product: Slide Reporter: Stefan L <luetzkendorf>
Component: WebDAV ServerAssignee: Slide Developer List <slide-dev>
Status: RESOLVED FIXED    
Severity: major    
Priority: P3    
Version: 2.1   
Target Milestone: ---   
Hardware: All   
OS: All   

Description Stefan L 2004-09-01 07:44:55 UTC 
currently it is possible for a user that does not own a given lock to 
delete a resource if he provides the "stolen" locktoken in the If header.

e.g. in the following scenario

user A LOCK /any/resource
user B PROPFIND /any/resource (retrieves the locktoken)
user B DELETE /any/resource

I think that's a bug. If nobody contradicts, I'll try to fix this ASAP.
Comment 1 Stefan L 2004-09-03 14:49:29 UTC 
Added a testcase under /functional/lock/mix/nonOwnerUsesLocktoken to reproduce.
Fixed in LockImpl