On Fri, 2003-03-28 at 01:13, Stephan Goeldi wrote:
accessing a zope site with nautilus can show you the whole structure: folders, methods and documents. On some sites you see the source of index_html. I didn't figure out, what makes the difference.
Zope has a very solid security apparatus, but the default configuration is *not* the most secure one available. You've discovered one way in which this is the case: By default, Zope servers will disclose detailed information about server setup to WebDAV. If you are concerned that this isn't a great way to manage your server, (IMO, it's not) you should configure accordingly. Open up the permissions for the root object and de-select the box that grants WebDAV Access privileges to Anonymous. If you've set everything else to inherit this permission, that setting will cascade down your whole server. If not, rinse and repeat. Managing security is a process of balancing convenience against paranoia. By default Zope errs a bit on the side of convenience... a common balance point. The Zope admin's job is to understand these choices and make them differently as requirements dictate. HTH, Dylan