[Zope] Disabling anonymous webdav access
Brian Lloyd
brian@digicool.com
Fri, 18 May 2001 11:19:10 -0400
> As someone pointed out on #zope, it is possible to view folder contents
> using a webdav client as an anonymous user.
>
> <snip>
>
> After applying you'll get a new permission in your security tab, which
> is set to manager by default. To get the old behaviour back, just set the
> permission back to anonymous.
>
> Apply it using patch -p1 ../webdav.patch in your SOFTWARE_HOME (i.e. the
> Zope-2.3.2-src dir).
I'd like to add this for Zope 2.4, but slightly modified, and
I wanted to run this by the community for buy-in.
I propose that there be a "WebDAV Access" permission (to be
consistent w/the existing "FTP Access" permission) that protects
PROPFIND. Instead of defaulting to "Manager" only (as proposed by
Ivo), I propose that it default to "Manager, Anonymous" so that
current behavior is preserved. In other words, I think it is
better that sites continue to work exactly as before after the
change (but that the manager can then go turn off anonymous
DAV access), rather than have sites suddenly "stop working with
WebDAV" until the manager goes and gives anonymous that
permission.
Thoughts?
>
> -- cut here --
> *** Zope-2.3.2-orig/lib/python/webdav/Resource.py Tue Mar
> 27 21:50:37 2001
> --- Zope-2.3.2-src/lib/python/webdav/Resource.py Mon May
> 14 19:16:46 2001
> ***************
> *** 109,115 ****
>
> __ac_permissions__=(
> ('View', ('HEAD',)),
> ! ('Access contents information', ('PROPFIND',)),
> ('Manage properties', ('PROPPATCH',)),
> ('Delete objects', ('DELETE',)),
> )
> --- 109,115 ----
>
> __ac_permissions__=(
> ('View', ('HEAD',)),
> ! ('Access contents information through WebDav',
> ('PROPFIND',)),
> ('Manage properties', ('PROPPATCH',)),
> ('Delete objects', ('DELETE',)),
> )
> -- cut here --
>
Brian Lloyd brian@digicool.com
Software Engineer 540.371.6909
Digital Creations http://www.digicool.com