To be determined: does this depend on auth status?
As mentioned in #931, the Allow: header is not authentication dependent. Its semantics are “this is what the server is capable of in general.”
On the other hand, the WAC-Allow: header (returned on HEAD requests) /is/ authentication dependent, and checks the resource acls etc.
Specifically, the RFC states:
The "Allow" header field lists the set of methods advertised as
supported by the target resource. The purpose of this field is
strictly to inform the recipient of valid request methods associated
with the resource.
—https://tools.ietf.org/html/rfc7231#section-7.4.1
So no mention of auth there indeed, just the resource itself. Hence, it should always be GET/HEAD/OPTIONS/POST/PUT/PATCH/DELETE for Solid.