[Zope-dev] WebDAV quibble -- fix in 2.6?
Casey Duncan
c.duncan@nlada.org
Wed, 6 Mar 2002 10:04:53 -0500
This maybe more 2.6 (or even 2.5.1 final) fodder:
I notice that in a vanilla Zope install, Anonymous users are allowed access
through WebDAV. This is bad for two reasons:
1. From a security perspective this discloses way too much information about
your site to the outside world.
2. Due to vagarities of WebDAV authentication, it makes it impossible to edit
anything, because I guess the WebDAV implementation is too stupid to force a
login when you try to lock something as anonymous (instead is returns a 500
server error). To get around this you have to create or copy an object to
force a login. This problem disappears if everyone must login to access
WebDAV at all.
So the question is: Is there a good reason why WebDAV access is granted to
anonymous by default? If not I vote we change it.
/---------------------------------------------------\
Casey Duncan, Sr. Web Developer
National Legal Aid and Defender Association
c.duncan@nlada.org
\---------------------------------------------------/