This maybe more 2.6 (or even 2.5.1 final) fodder:

I notice that in a vanilla Zope install, Anonymous users are allowed access 
through WebDAV. This is bad for two reasons:

1. From a security perspective this discloses way too much information about 
your site to the outside world.

2. Due to vagarities of WebDAV authentication, it makes it impossible to edit 
anything, because I guess the WebDAV implementation is too stupid to force a 
login when you try to lock something as anonymous (instead is returns a 500 
server error). To get around this you have to create or copy an object to 
force a login. This problem disappears if everyone must login to access 
WebDAV at all.

So the question is: Is there a good reason why WebDAV access is granted to 
anonymous by default? If not I vote we change it.

/---------------------------------------------------\
  Casey Duncan, Sr. Web Developer
  National Legal Aid and Defender Association
  [EMAIL PROTECTED]
\---------------------------------------------------/

_______________________________________________
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Reply via email to