As someone pointed out on #zope, it is possible to view folder contents using a webdav client as an anonymous user.
<snip>
After applying you'll get a new permission in your security tab, which is set to manager by default. To get the old behaviour back, just set the permission back to anonymous.
Apply it using patch -p1 ../webdav.patch in your SOFTWARE_HOME (i.e. the Zope-2.3.2-src dir).
I'd like to add this for Zope 2.4, but slightly modified, and I wanted to run this by the community for buy-in. I propose that there be a "WebDAV Access" permission (to be consistent w/the existing "FTP Access" permission) that protects PROPFIND. Instead of defaulting to "Manager" only (as proposed by Ivo), I propose that it default to "Manager, Anonymous" so that current behavior is preserved. In other words, I think it is better that sites continue to work exactly as before after the change (but that the manager can then go turn off anonymous DAV access), rather than have sites suddenly "stop working with WebDAV" until the manager goes and gives anonymous that permission. Thoughts?
-- cut here -- *** Zope-2.3.2-orig/lib/python/webdav/Resource.py Tue Mar 27 21:50:37 2001 --- Zope-2.3.2-src/lib/python/webdav/Resource.py Mon May 14 19:16:46 2001 *************** *** 109,115 ****
__ac_permissions__=( ('View', ('HEAD',)), ! ('Access contents information', ('PROPFIND',)), ('Manage properties', ('PROPPATCH',)), ('Delete objects', ('DELETE',)), ) --- 109,115 ----
__ac_permissions__=( ('View', ('HEAD',)), ! ('Access contents information through WebDav', ('PROPFIND',)), ('Manage properties', ('PROPPATCH',)), ('Delete objects', ('DELETE',)), ) -- cut here --
Brian Lloyd brian@digicool.com Software Engineer 540.371.6909 Digital Creations http://www.digicool.com