Chris McDonough wrote:
Hi Antwan,
That said, I'm suspicious of the claim that via WebDAV, you're able to subvert the Zope security policy in any way, because it's the same one that's used by "normal" HTTP access. For example, if you're able to change the body of a DTML method via WebDAV on your site, it's likely because the permission "Add Documents, Images, and Files" (or perhaps "Change DTML Methods") is provided to the Anonymous user respective to the object itself. Likewise, if you can PUT a DTML document into a folder as the anonymous user, it's likely because the "Add Documents, Images, and Files" permission is provided to the Anonymous User respective to the folder.
Can you provide a specific set of steps using WebDAV that demonstrates a subversion of your specific security policy?
I also am suspicious. I have not tried a MS client but did use cadaver to test WebDav access last week and it prompted for a password as it should. Antwan, feel free to hit the DEMO site below and let me know if you trash my demo <s>. Thanks, -- Tim Cook, President - FreePM,Inc. http://www.FreePM.com Office: (731) 884-4126 ONLINE DEMO: http://www.freepm.org:8080/FreePM