[Zope] zope needs webdav global access *ON/OFF* feature

[Júlio Dinis Silva]

Hi all,

I think zope MUST have a way to disable webdav access.
Running a webdav client on some zope sites I found in almost all
of them things like test_html index_html_old and some other
forgiven methods that programmers leave on their applications.
Depending on what test programmers were doing in this methods
one could find a way to do some DOS on does sites, just to begin.

I mean, even if the user dont have permissions to edit/save methods,
just the fact that he is browsing my structure and viewing my methods is bad 
for security.

I looked at source and the webdav implementation is class specific
implemented, i.e, only objects of classes that import webdav stuff and
implement it are Published by zope to a webdav client.

I tryed to find a *central* switch to disable it on ZServer or ZPublisher, 
but no luck. I also tryed to find something like
domain restriction which could be another way to disable webdav.
The solution of disable Access Contents Information to anonymous isnt
pratical on a complex site already in production.

I'll try to find a way to disable/restrict the webdav access.

Any suggestion?

Best Regards,
Júlio Dinis Silva


_________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.

Share information about yourself, create your own public profile at 
http://profiles.msn.com.