Hi all, I think zope MUST have a way to disable webdav access. Running a webdav client on some zope sites I found in almost all of them things like test_html index_html_old and some other forgiven methods that programmers leave on their applications. Depending on what test programmers were doing in this methods one could find a way to do some DOS on does sites, just to begin. I mean, even if the user dont have permissions to edit/save methods, just the fact that he is browsing my structure and viewing my methods is bad for security. I looked at source and the webdav implementation is class specific implemented, i.e, only objects of classes that import webdav stuff and implement it are Published by zope to a webdav client. I tryed to find a *central* switch to disable it on ZServer or ZPublisher, but no luck. I also tryed to find something like domain restriction which could be another way to disable webdav. The solution of disable Access Contents Information to anonymous isnt pratical on a complex site already in production. I'll try to find a way to disable/restrict the webdav access. Any suggestion? Best Regards, Júlio Dinis Silva _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. Share information about yourself, create your own public profile at http://profiles.msn.com.