[Zope-dev] Re: zope nautilus cabal

Chris McDonough chrism@digicool.com
Fri, 13 Apr 2001 15:52:35 -0400


This isn't a bug, it's a feature.  A bad one, likely, as there's no easy way
to turn it off. ;-)  I believe that if you turn off "Access Contents
Information" permission for anonymous on the root folder, a WebDAV directory
listing can't be retrieved.  This, however, likely breaks lots of things
that have nothing to do with WebDAV.

The WebDAV (and XMLRPC) stuff either needs to be decomposed to run on its
own port (and only that port) or more explicit permissions need to be
associated with WebDAV/XMLRPC operations if we take for granted that being
able to browse the root folder structure is a bad thing.

- C


----- Original Message -----
From: "Andrea Fanfani" <andrea@debian.org>
To: "Chris McDonough" <chrism@digicool.com>
Cc: "Federico Di Gregorio" <fog@mixadlive.com>; <flight@debian.org>;
<zope-dev@zope.org>
Sent: Friday, April 13, 2001 2:42 PM
Subject: Re: [Zope-dev] Re: zope nautilus cabal


> On Fri, Apr 13, 2001 at 01:49:24PM -0400, Chris McDonough wrote:
> > How is this any different than visiting the site in a web browser?
>
> [...]
>
> The difference is that in this way you can see the internal structure
> of the data.fs and not only the http output from zope.
> You can access to the /manage part without user and pass and see
> but not modify the internal structure, bypassing the authentication
> part. In this way a evil-user can discover not-public informations
>
> Regards
>
> a.f.
>
> _______________________________________________
> Zope-Dev maillist  -  Zope-Dev@zope.org
> http://lists.zope.org/mailman/listinfo/zope-dev
> **  No cross posts or HTML encoding!  **
> (Related lists -
>  http://lists.zope.org/mailman/listinfo/zope-announce
>  http://lists.zope.org/mailman/listinfo/zope )
>