- DAV: compatibility with Windows Web Folders restored by adding
        a configuration variable that controls the sending of the
        non-standard MS-Author-Via and Public headers. Thanks for
        PatrickD for the the hard work coming up with an initial
        patch.
        (http://zope.org/Collectors/Zope/1441)

doc/CHANGES.txt

@@ -97,6 +97,13 @@ Zope Changes
 
     Bugs Fixed
 
+      - Collector #1441: WebDAV compatibility with Windows Web Folders
+        restored by adding a configuration variable that controls the
+        sending of the non-standard MS-Author-Via and Public
+        headers. Thanks for PatrickD for the the hard work coming up
+        with an initial patch.  
+        (http://zope.org/Collectors/Zope/1441)
+
       - DAV: litmus "notowner_modify" tests warn during a MOVE request
         because we returned "412 Precondition Failed" instead of "423
         Locked" when the resource attempting to be moved was itself
@@ -118,13 +125,14 @@ Zope Changes
         for further rationale.
 
       - When Zope properties were set via DAV in the "null" namespace
-        (xmlns="") a subsequent PROPFIND for the property would cause the 
-        XML representation for that property to show a namespace of 
+        (xmlns="") a subsequent PROPFIND for the property would cause the
+        XML representation for that property to show a namespace of
         xmlns="None".  Fixed within OFS.PropertySheets.dav__propstat.
 
       - Relaxed requirements for context of
         Products.Five.browser.pagetemplatefile.ZopeTwoPageTemplateFile,
-        to reduce barriers for testing renderability of views which use them.
+        to reduce barriers for testing renderability of views which
+        use them.
         (http://www.zope.org/Collectors/Zope/2327)
 
       - Collector #2304: fixed markup issue in ptEdit.zpt
@@ -1296,7 +1304,8 @@ Zope Changes
        x86_64 systems
 
      - ZReST: the charset used in the rendered HTML was not set to the
-       corresponding output_encoding property of the ZReST instance. In addition
+       corresponding output_encoding property of the ZReST instance. In
+addition
        changing the encodings through the Properties tab did not re-render
        the HTML.
 

lib/python/Zope2/Startup/handlers.py

@@ -150,6 +150,14 @@ def cgi_maxlen(value):
 def http_header_max_length(value):
     return value
 
+def enable_ms_author_via(value):
+    import webdav
+    webdav.enable_ms_author_via = value
+
+def enable_ms_public_header(value):
+    import webdav
+    webdav.enable_ms_public_header = value
+
 def catalog_getObject_raises(value):
 
     if value is not None:

lib/python/Zope2/Startup/tests/test_schema.py

@@ -95,6 +95,50 @@ class StartupTestCase(unittest.TestCase):
         items.sort()
         self.assertEqual(items, [("FEARFACTORY", "rocks"), ("NSYNC","doesnt")])
 
+    def test_ms_author_via(self):
+        import webdav
+        from Zope2.Startup.handlers import handleConfig
+
+        default_setting = webdav.enable_ms_author_via
+        try:
+            conf, handler = self.load_config_text("""\
+                instancehome <<INSTANCE_HOME>>
+                enable-ms-author-via true
+                """)
+            handleConfig(None, handler)
+            self.assert_(webdav.enable_ms_author_via == True)
+
+            conf, handler = self.load_config_text("""\
+                instancehome <<INSTANCE_HOME>>
+                enable-ms-author-via false
+                """)
+            handleConfig(None, handler)
+            self.assert_(webdav.enable_ms_author_via == False)
+        finally:
+            webdav.enable_ms_author_via = default_setting
+
+    def test_ms_public_header(self):
+        import webdav
+        from Zope2.Startup.handlers import handleConfig
+
+        default_setting = webdav.enable_ms_public_header
+        try:
+            conf, handler = self.load_config_text("""\
+                instancehome <<INSTANCE_HOME>>
+                enable-ms-public-header true
+                """)
+            handleConfig(None, handler)
+            self.assert_(webdav.enable_ms_public_header == True)
+
+            conf, handler = self.load_config_text("""\
+                instancehome <<INSTANCE_HOME>>
+                enable-ms-public-header false
+                """)
+            handleConfig(None, handler)
+            self.assert_(webdav.enable_ms_public_header == False)
+        finally:
+            webdav.enable_ms_public_header = default_setting
+
     def test_path(self):
         p1 = tempfile.mktemp()
         p2 = tempfile.mktemp()

lib/python/Zope2/Startup/zopeschema.xml

@@ -553,6 +553,63 @@
     </description>
   </key>
 
+  <key name="enable-ms-author-via" datatype="boolean" handler="enable_ms_author_via" default="off">
+     <description>
+     Set this directive to 'true' to enable the "MS-Author-Via" header
+     in response to an OPTIONS WebDAV request. Early versions of
+     Microsoft Web Folders and Microsoft Office require this header to
+     be present to be able to connect to Zope via WebDAV.
+
+     This is disabled by default since it makes a lot of standards-compliant
+     things unhappy AND it tricks Microsoft Office into trying to edit Office
+     files stored in Zope via WebDAV even when the user isn't allowed to edit
+     them and is only trying to download them.
+
+     Check this collector entry for more information:
+     http://www.zope.org/Collectors/Zope/1441
+
+     Recent versions of Microsoft Web Folders, updated after January
+     2005, do not require this header anymore, and instead require a
+     "Public" header to be present in reply to the OPTIONS WebDAV
+     request.
+     (http://www.redmountainsw.com/wordpress/archives/webfolders-zope)
+ 
+     To get a recent Microsoft Web Folders implementation, refer to
+     Microsoft KB Article 907306.
+     (Software Update for Web Folders: May 18, 2007).
+     </description>
+     <metadefault>off</metadefault>
+  </key>
+
+  <key name="enable-ms-public-header" datatype="boolean" handler="enable_ms_public_header" default="off">
+     <description>
+     Set this directive to 'on' to enable sending the "Public" header
+     in response to an WebDAV OPTIONS request.
+
+     Though recent WebDAV drafts mention this header, the original
+     WebDAV RFC did not mention it as part of the standard. Very few
+     web servers out there include this header in their replies, most
+     notably IIS and Netscape Enterprise 3.6.
+
+     Since many best practices documents out in the web mention
+     turning off this header with the subject of "Mask Your Web Server
+     For Enhanced Security", this setting is off by
+     default. Presumably malicious people might take the presence of
+     this header as indication of an IIS Web Server and try to attack
+     your site, so be careful when turning it on.
+
+     Recent versions of Microsoft Web Folders, updated after January
+     2005, *do* require this header to be present in reply to the
+     OPTIONS WebDAV request.
+     (http://www.redmountainsw.com/wordpress/archives/webfolders-zope)
+ 
+     To get a recent Microsoft Web Folders implementation, refer to
+     Microsoft KB Article 907306.
+     (Software Update for Web Folders: May 18, 2007).
+     </description>
+     <metadefault>off</metadefault>
+  </key>
+
   <key name="dns-server" datatype=".dns_resolver" attribute="dns_resolver">
     <description>
      Specify the IP address of your DNS server in order to cause resolved

lib/python/webdav/Resource.py

@@ -18,8 +18,10 @@ $Id$
 import mimetypes
 import sys
 import warnings
+import re
 from urllib import unquote
 
+import webdav
 import ExtensionClass
 from Globals import InitializeClass
 from AccessControl import getSecurityManager
@@ -54,6 +56,7 @@ from OFS.event import ObjectClonedEvent
 from OFS.event import ObjectWillBeMovedEvent
 import OFS.subscribers
 
+ms_dav_agent = re.compile("Microsoft.*Internet Publishing.*")
 
 class Resource(ExtensionClass.Base, Lockable.LockableItem):
 
@@ -220,6 +223,15 @@ class Resource(ExtensionClass.Base, Lockable.LockableItem):
         RESPONSE.setHeader('Allow', ', '.join(self.__http_methods__))
         RESPONSE.setHeader('Content-Length', 0)
         RESPONSE.setHeader('DAV', '1,2', 1)
+
+        # Microsoft Web Folders compatibility, only enabled if
+        # User-Agent matches.
+        if ms_dav_agent.match(REQUEST.get_header('User-Agent', '')):
+            if webdav.enable_ms_public_header:
+                RESPONSE.setHeader('Public', ', '.join(self.__http_methods__))
+            if webdav.enable_ms_author_via:
+                RESPONSE.setHeader('MS-Author-Via', 'DAV')
+
         RESPONSE.setStatus(200)
         return RESPONSE
 

lib/python/webdav/__init__.py

@@ -36,3 +36,6 @@
    Microsoft, U.C. Irvine, Netscape, Novell.  February, 1999."""
 
 __version__='$Revision: 1.7 $'[11:-2]
+
+enable_ms_author_via = False
+enable_ms_public_header = False

lib/python/webdav/tests/testResource.py

@@ -4,6 +4,26 @@ from AccessControl.SecurityManagement import noSecurityManager
 from AccessControl.SecurityManager import setSecurityPolicy
 from Acquisition import Implicit
 
+
+MS_DAV_AGENT = "Microsoft Data Access Internet Publishing Provider DAV"
+
+def make_request_response(environ=None):
+    from StringIO import StringIO
+    from ZPublisher.HTTPRequest import HTTPRequest
+    from ZPublisher.HTTPResponse import HTTPResponse
+    
+    if environ is None:
+        environ = {}
+
+    stdout = StringIO()
+    stdin = StringIO()
+    resp = HTTPResponse(stdout=stdout)
+    environ.setdefault('SERVER_NAME', 'foo')
+    environ.setdefault('SERVER_PORT', '80')
+    environ.setdefault('REQUEST_METHOD', 'GET')
+    req = HTTPRequest(stdin, environ, resp)
+    return req, resp
+
 class TestResource(unittest.TestCase):
     def setUp(self):
         self.app = DummyContent()
@@ -34,6 +54,61 @@ class TestResource(unittest.TestCase):
         verifyClass(IDAVResource, Resource)
         verifyClass(IWriteLock, Resource)
 
+    def test_ms_author_via(self):
+        import webdav
+        from webdav.Resource import Resource
+
+        default_settings = webdav.enable_ms_author_via
+        try:
+            req, resp = make_request_response()
+            resource = Resource()
+            resource.OPTIONS(req, resp)
+            self.assert_(not resp.headers.has_key('ms-author-via'))
+
+            webdav.enable_ms_author_via = True
+            req, resp = make_request_response()
+            resource = Resource()
+            resource.OPTIONS(req, resp)
+            self.assert_(not resp.headers.has_key('ms-author-via'))
+
+            req, resp = make_request_response(
+                environ={'USER_AGENT': MS_DAV_AGENT})
+            resource = Resource()
+            resource.OPTIONS(req, resp)
+            self.assert_(resp.headers.has_key('ms-author-via'))
+            self.assert_(resp.headers['ms-author-via'] == 'DAV')
+
+        finally:
+            webdav.enable_ms_author_via = default_settings
+
+    def test_ms_public_header(self):
+        import webdav
+        from webdav.Resource import Resource
+        default_settings = webdav.enable_ms_public_header
+        try:
+            req, resp = make_request_response()
+            resource = Resource()
+            resource.OPTIONS(req, resp)
+            self.assert_(not resp.headers.has_key('public'))
+
+            webdav.enable_ms_public_header = True
+            req, resp = make_request_response()
+            resource = Resource()
+            resource.OPTIONS(req, resp)
+            self.assert_(not resp.headers.has_key('public'))
+            self.assert_(resp.headers.has_key('allow'))
+
+            req, resp = make_request_response(
+                environ={'USER_AGENT': MS_DAV_AGENT})
+            resource = Resource()
+            resource.OPTIONS(req, resp)
+            self.assert_(resp.headers.has_key('public'))
+            self.assert_(resp.headers.has_key('allow'))
+            self.assert_(resp.headers['public'] == resp.headers['allow'])
+
+        finally:
+            webdav.enable_ms_public_header = default_settings
+
     def test_MOVE_self_locked(self):
         """
         DAV: litmus"notowner_modify" tests warn during a MOVE request

skel/etc/zope.conf.in

@@ -443,6 +443,70 @@ instancehome $INSTANCE
 #
 #     http-header-max-length 16384
 
+# Directive: enable-ms-author-via
+#
+# Description:
+#     Set this directive to 'true' to enable the "MS-Author-Via" header
+#     in response to an OPTIONS WebDAV request. Early versions of
+#     Microsoft Web Folders and Microsoft Office require this header to
+#     be present to be able to connect to Zope via WebDAV.
+#
+#     This is disabled by default since it makes a lot of standards-compliant
+#     things unhappy AND it tricks Microsoft Office into trying to edit Office
+#     files stored in Zope via WebDAV even when the user isn't allowed to edit
+#     them and is only trying to download them.
+#
+#     Check this collector entry for more information:
+#     http://www.zope.org/Collectors/Zope/1441
+#
+#     Recent versions of Microsoft Web Folders, updated after January
+#     2005, do not require this header anymore, and instead require a
+#     "Public" header to be present in reply to the OPTIONS WebDAV
+#     request.
+#     (http://www.redmountainsw.com/wordpress/archives/webfolders-zope)
+# 
+#     To get a recent Microsoft Web Folders implementation, refer to
+#     Microsoft KB Article 907306.
+#     (Software Update for Web Folders: May 18, 2007).
+#
+# Default: off
+#
+# Example:
+#
+#    enable-ms-author-via on
+
+# Directive: enable-ms-public-header
+#
+# Description:
+#     Set this directive to 'on' to enable sending the "Public" header
+#     in response to an WebDAV OPTIONS request.
+#
+#     Though recent WebDAV drafts mention this header, the original
+#     WebDAV RFC did not mention it as part of the standard. Very few
+#     web servers out there include this header in their replies, most
+#     notably IIS and Netscape Enterprise 3.6.
+#
+#     Since many best practices documents out in the web mention
+#     turning off this header with the subject of "Mask Your Web Server
+#     For Enhanced Security", this setting is off by
+#     default. Presumably malicious people might take the presence of
+#     this header as indication of an IIS Web Server and try to attack
+#     your site, so be careful when turning it on.
+#
+#     Recent versions of Microsoft Web Folders, updated after January
+#     2005, *do* require this header to be present in reply to the
+#     OPTIONS WebDAV request.
+#     (http://www.redmountainsw.com/wordpress/archives/webfolders-zope)
+#
+#     To get a recent Microsoft Web Folders implementation, refer to
+#     Microsoft KB Article 907306.
+#     (Software Update for Web Folders: May 18, 2007).
+#
+# Default: off
+#
+# Example:
+#
+#    enable-ms-public-header on
 
 # Directive: automatically-quote-dtml-request-data
 #