[Zope] Disabling anonymous webdav access

Brian Lloyd brian@digicool.com
Fri, 18 May 2001 11:19:10 -0400


> As someone pointed out on #zope, it is possible to view folder contents
> using a webdav client as an anonymous user.
> 
> <snip>
>
> After applying you'll get a new permission in your security tab, which 
> is set to manager by default. To get the old behaviour back, just set the
> permission back to anonymous.
> 
> Apply it using patch -p1 ../webdav.patch in your SOFTWARE_HOME (i.e. the 
> Zope-2.3.2-src dir).

I'd like to add this for Zope 2.4, but slightly modified, and 
I wanted to run this by the community for buy-in.

I propose that there be a "WebDAV Access" permission (to be 
consistent w/the existing "FTP Access" permission) that protects 
PROPFIND. Instead of defaulting to "Manager" only (as proposed by
Ivo), I propose that it default to "Manager, Anonymous" so that
current behavior is preserved. In other words, I think it is 
better that sites continue to work exactly as before after the 
change (but that the manager can then go turn off anonymous 
DAV access), rather than have sites suddenly "stop working with
WebDAV" until the manager goes and gives anonymous that 
permission.

Thoughts?



> 
> -- cut here --
> *** Zope-2.3.2-orig/lib/python/webdav/Resource.py       Tue Mar 
> 27 21:50:37 2001
> --- Zope-2.3.2-src/lib/python/webdav/Resource.py        Mon May 
> 14 19:16:46 2001
> ***************
> *** 109,115 ****
>   
>       __ac_permissions__=(
>           ('View',                             ('HEAD',)),
> !         ('Access contents information',      ('PROPFIND',)),
>           ('Manage properties',                ('PROPPATCH',)),
>           ('Delete objects',                   ('DELETE',)),
>       )
> --- 109,115 ----
>   
>       __ac_permissions__=(
>           ('View',                             ('HEAD',)),
> !         ('Access contents information through WebDav',      
> ('PROPFIND',)),
>           ('Manage properties',                ('PROPPATCH',)),
>           ('Delete objects',                   ('DELETE',)),
>       )
> -- cut here --
> 

Brian Lloyd        brian@digicool.com
Software Engineer  540.371.6909              
Digital Creations  http://www.digicool.com