[Zope] Disabling anonymous webdav access
Ivo van der Wijk
ivo@amaze.nl
Fri, 25 May 2001 18:55:35 +0200
On Fri, May 18, 2001 at 11:19:10AM -0400, Brian Lloyd wrote:
> > As someone pointed out on #zope, it is possible to view folder contents
> > using a webdav client as an anonymous user.
> >
>
> I'd like to add this for Zope 2.4, but slightly modified, and
> I wanted to run this by the community for buy-in.
>
> I propose that there be a "WebDAV Access" permission (to be
> consistent w/the existing "FTP Access" permission) that protects
> PROPFIND. Instead of defaulting to "Manager" only (as proposed by
> Ivo), I propose that it default to "Manager, Anonymous" so that
> current behavior is preserved. In other words, I think it is
> better that sites continue to work exactly as before after the
> change (but that the manager can then go turn off anonymous
> DAV access), rather than have sites suddenly "stop working with
> WebDAV" until the manager goes and gives anonymous that
> permission.
>
I never really used webdav, so I don't know what applications will break
with my patch. I assume however that these applications understand
authentication and will simply require a username/password.
I do think it should be made clear to the user that in default configuration,
zope will allow this anonymous access - I know alot of people who find such
behaviour insecure and who would be scared if they found out afterwards
(as I did)
As for the proposed reverse proxy filtering, this will disable all webdav
access *the hard way* (i.e. PROPFIND will not be possible at all). And it
will not make zope secure "out of the box".
Untill there is decent protocol based access, this looks like a nice patch.
nd of course, you're welcome to incorporate it in 2.4 :)
Cheers,
Ivo
--
Drs. I.R. van der Wijk -=-
Brouwersgracht 132 Amaze Internet Services V.O.F.
1013 HA Amsterdam -=-
Tel: +31-20-4688336 Linux/Web/Zope/SQL
Fax: +31-20-4688337 Network Solutions
Web: http://www.amaze.nl/ Consultancy
Email: ivo@amaze.nl -=-