[Zope] Disabling anonymous webdav access
Sat, 19 May 2001 13:13:33 +0200
>As far as GET / PUT, these are not distinguishable from a
>non-DAV GET / PUT (but those operations are protected by
>action-specific permissions anyway).
>So this is not a 100% solution, just one that happens to be
>a light-weight way to allow people to solve their immediate
>problem (in basically the same way we solve it for FTP).
Ok, so what do you propose Brian? You have a point by stating that you want
the Zope-permissionsystem to be action-based in stead of protocol based.
But then: listing a site's content via the DAV-protocol does not work the
same as via normal http-based protocol: when index_html is present, the
site's content (and sub-directory-structure) is effectively masked via
normal http-access (I think).
So when a certain permission (like Acces Contents Information) effectively
behaves different under different access-protocols, this action-based
permission policy seems to me to be inadequate...
>Brian Lloyd email@example.com
>Software Engineer 540.371.6909
>Digital Creations http://www.digicool.com
>Zope maillist - Zope@zope.org
>** No cross posts or HTML encoding! **
>(Related lists -
> http://lists.zope.org/mailman/listinfo/zope-dev )