On Fri, May 18, 2001 at 11:19:10AM -0400, Brian Lloyd wrote:
As someone pointed out on #zope, it is possible to view folder contents using a webdav client as an anonymous user.
I'd like to add this for Zope 2.4, but slightly modified, and I wanted to run this by the community for buy-in.
I propose that there be a "WebDAV Access" permission (to be consistent w/the existing "FTP Access" permission) that protects PROPFIND. Instead of defaulting to "Manager" only (as proposed by Ivo), I propose that it default to "Manager, Anonymous" so that current behavior is preserved. In other words, I think it is better that sites continue to work exactly as before after the change (but that the manager can then go turn off anonymous DAV access), rather than have sites suddenly "stop working with WebDAV" until the manager goes and gives anonymous that permission.
I never really used webdav, so I don't know what applications will break with my patch. I assume however that these applications understand authentication and will simply require a username/password. I do think it should be made clear to the user that in default configuration, zope will allow this anonymous access - I know alot of people who find such behaviour insecure and who would be scared if they found out afterwards (as I did) As for the proposed reverse proxy filtering, this will disable all webdav access *the hard way* (i.e. PROPFIND will not be possible at all). And it will not make zope secure "out of the box". Untill there is decent protocol based access, this looks like a nice patch. nd of course, you're welcome to incorporate it in 2.4 :) Cheers, Ivo -- Drs. I.R. van der Wijk -=- Brouwersgracht 132 Amaze Internet Services V.O.F. 1013 HA Amsterdam -=- Tel: +31-20-4688336 Linux/Web/Zope/SQL Fax: +31-20-4688337 Network Solutions Web: http://www.amaze.nl/ Consultancy Email: ivo@amaze.nl -=-