[Zope] Disabling anonymous webdav access
Brian Lloyd
brian@digicool.com
Fri, 18 May 2001 13:39:25 -0400
> Are WebDAV requests HTTP GET requests? Or are they PUT?
>
> I ask because there might be a way to filter public access with a
> reverse-proxy to certain URLs (with, for example, a Squid redirector).
> Whether or not this kind of thing would work for certain types of WebDAV
> traffic, such as viewing folder contents, depends on the anatomy
> of a WebDAV
> request...
The idea of "restricting access by protocol" is still an
open issue, and a relatively hard one to integrate with
the intent of permissions in Zope (which are action-oriented
rather than protocol-oriented).
The proposed DAV change is something of a hack that happens
to give most people what they want: the ability to keep
people from using any old DAV client to inspect the
structure of their site. By protecting "PROPFIND" ( a DAV
HTTP verb) with a specific permission, the effect is that
clients will be effectively unable to list site contents
if you don't want them to.
As far as GET / PUT, these are not distinguishable from a
non-DAV GET / PUT (but those operations are protected by
action-specific permissions anyway).
So this is not a 100% solution, just one that happens to be
a light-weight way to allow people to solve their immediate
problem (in basically the same way we solve it for FTP).
Brian Lloyd brian@digicool.com
Software Engineer 540.371.6909
Digital Creations http://www.digicool.com