Kevin Wiggen schrieb: > FYI -- Xythos would consider it a security hole if a webdav client can do a directory listing and view files names that people do NOT have read access to. I hate when my boss has that file called FIRE-KEVIN.doc in his directory. > > This is NOT how other servers view this (for instance SAP), but I would believe it is up to the server how "secure" they want to be. Yes they can find out if they try to WRITE to a file location that has a pre-named file, however there might be other reasons the user cannot write to that location. > > Kevin Kevin, yes I totally agree that it's the server's choice to decide that. I wasn't trying to advocate one specific approach. Basically, if the server exposes the names of children that the user doesn't have access to, security works in a different way. For instance, users will have to move resources they don't want to be visible into a specific folder, and deny read access to that folder as well. Best regards, JulianReceived on Thursday, 30 November 2006 16:57:37 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 12 October 2007 17:53:27 GMT