Hi All, As someone pointed out on #zope, it is possible to view folder contents using a webdav client as an anonymous user. I.e. download cadaver (http://www.webdav.org/cadaver/), open yourzopeserver:8080 and do ls. Then decide if you want anyone to be able to access this. Eventhough hiding this information may be security by obscurity, there are some things you just don't want everyone to see. This allows you to see, for example, the installed products on the server. A hacker might use this knowledge to exploit some known bug in a zope product if one exists. Most people (like me) probably think it's harmless to let old objects, documents etc linger around as you can't view them in listings through ftp or http. They don't realize webdav is running by default. Actually, it can't even be disabled! (z2.py -X -w80 won't do the trick!) Personally I'd rather see this secured. It's not possible to disable 'view contents information' for anonymous users in zope, as this will ruin your entire site (all anonymous access will then be disabled), so the solution would be to create a new permission for access contents through webdav. And that's what the following (trivial) patch does. After applying you'll get a new permission in your security tab, which is set to manager by default. To get the old behaviour back, just set the permission back to anonymous. Apply it using patch -p1 ../webdav.patch in your SOFTWARE_HOME (i.e. the Zope-2.3.2-src dir). Or just edit lib/python/webdav/Resource.py by hand :) I've tested it with Zope 2.3.2, I can't guarantee it will work with other versions (use at your own risk anyway). -- cut here -- *** Zope-2.3.2-orig/lib/python/webdav/Resource.py Tue Mar 27 21:50:37 2001 --- Zope-2.3.2-src/lib/python/webdav/Resource.py Mon May 14 19:16:46 2001 *************** *** 109,115 **** __ac_permissions__=( ('View', ('HEAD',)), ! ('Access contents information', ('PROPFIND',)), ('Manage properties', ('PROPPATCH',)), ('Delete objects', ('DELETE',)), ) --- 109,115 ---- __ac_permissions__=( ('View', ('HEAD',)), ! ('Access contents information through WebDav', ('PROPFIND',)), ('Manage properties', ('PROPPATCH',)), ('Delete objects', ('DELETE',)), ) -- cut here -- Cheers, Ivo -- Drs. I.R. van der Wijk -=- Brouwersgracht 132 Amaze Internet Services V.O.F. 1013 HA Amsterdam -=- Tel: +31-20-4688336 Linux/Web/Zope/SQL Fax: +31-20-4688337 Network Solutions Web: http://www.amaze.nl/ Consultancy Email: [EMAIL PROTECTED] -=- _______________________________________________ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )