[drupal-devel] Howto enable webdav in your drupal directory
It was not too easy to make webdav work in my drupal directory while using clean URLs so I like to share these instructions. Note: Using webdav without SSL is probably a security risk... Add this line to .htaccess just befor the RewriteRule line(s): RewriteCond %{REQUEST_METHOD} !(^PUT$|^DELETE$|^PROPFIND$) Add these lines to your httpd.conf to enable http::/yourhost/drupal-source as webdav location: <IfModule mod_dav.c> Alias /drupal-source /home/www/shiatsu/test45.0xc.net/docs <Location /drupal-source> AuthType Basic AuthName "drupal php" # change path to your path AuthUserFile /path/.htpasswd Require valid-user # Don't use handlers SetHandler default-handler RemoveHandler .php .html DAV On Options +Indexes Order allow,deny # change all to your IP address Allow from all # Lock down all actions except those that are read-only <LimitExcept GET HEAD OPTIONS> Allow from all # change admin to your username Require user admin </LimitExcept> </Location> </IfModule> Cheers!
On Thu, 3 Feb 2005, Karsten Müller wrote:
It was not too easy to make webdav work in my drupal directory while using clean URLs so I like to share these instructions.
Much appreciated. I've unsecessfully spnd half an afternoon at trying to get this working myself...
Note: Using webdav without SSL is probably a security risk...
More than standard http?
Add this line to .htaccess just befor the RewriteRule line(s): RewriteCond %{REQUEST_METHOD} !(^PUT$|^DELETE$|^PROPFIND$)
I think this is the key issue.
Add these lines to your httpd.conf to enable http::/yourhost/drupal-source as webdav location:
If I read all this stuff right, you will now be able to modify Drupal's files through webDAV. While this is probably interesting I think that modifying and uploading files to Drupal through webDAV would be more interesting. Eg image module would have an webDAV enabled upload directory and retrieve uloaded files from there.
<IfModule mod_dav.c> Alias /drupal-source /home/www/shiatsu/test45.0xc.net/docs <Location /drupal-source> AuthType Basic AuthName "drupal php" # change path to your path AuthUserFile /path/.htpasswd
It would be interesting to let webDAV authenticate against the Drupal database. Cheers, Gerhard
If I read all this stuff right, you will now be able to modify Drupal's files through webDAV. While this is probably interesting I think that modifying and uploading files to Drupal through webDAV would be more interesting. Eg image module would have an webDAV enabled upload directory and retrieve uloaded files from there.
Indeed, but probably it would be better to implement a webdav(ish) hook, webdav is a kind of file/version control oriented RPC. Drupal does have the nessesary igradients to be able to implement it - XML parser, php knows about post, put, whatever http requests, we have the example of the BlogApi, Webdav is not too different. A native understanging of DAV will allow updating any content by submitting a file via webDAV. The only missing ingredient is http authentication against drupal, that is Drupal knowing and speaking the www-authenticate and authorization http headers. -- Vladimir Zlatanov <vlado@dikini.net>
On Fri, 4 Feb 2005, Vladimir Zlatanov wrote:
If I read all this stuff right, you will now be able to modify Drupal's files through webDAV. While this is probably interesting I think that modifying and uploading files to Drupal through webDAV would be more interesting. Eg image module would have an webDAV enabled upload directory and retrieve uloaded files from there.
Indeed, but probably it would be better to implement a webdav(ish) hook, webdav is a kind of file/version control oriented RPC. Drupal does have the nessesary igradients to be able to implement it - XML parser, php knows about post, put, whatever http requests, we have the example of the BlogApi, Webdav is not too different.
I think there are webDAV scripts in PHP. However, for my purposes it would be sufficient to use the mod_dav Apache module.
A native understanging of DAV will allow updating any content by submitting a file via webDAV.
True.
The only missing ingredient is http authentication against drupal, that is Drupal knowing and speaking the www-authenticate and authorization http headers.
I think there is another Apache module that could be used for this. I will check this. A native Drupal solution would probably be more interesting, but also more difficult to implement. ;^) Cheers, Gerhard
Just thought I'd mention... HTTP Authentication is easy with PHP (Oh, that's what Drupal is written in!) Have a look here for the details: http://uk.php.net/features.http-auth Cheers, Ross. Gerhard Killesreiter wrote:
The only missing ingredient is http authentication against drupal, that is Drupal knowing and speaking the www-authenticate and authorization http headers.
I think there is another Apache module that could be used for this. I will check this.
A native Drupal solution would probably be more interesting, but also more difficult to implement. ;^)
Cheers, Gerhard
Ross Kendall wrote:
Just thought I'd mention...
HTTP Authentication is easy with PHP (Oh, that's what Drupal is written in!)
Good point - but it does come with a lot of conditions and is not very cross platform/ cross configuration friendly. andre
The only missing ingredient is http authentication against drupal, that is Drupal knowing and speaking the www-authenticate and authorization http headers.
I think there is another Apache module that could be used for this. I will check this.
A native Drupal solution would probably be more interesting, but also more difficult to implement. ;^)
Are the ten lines you can use in PHP to have HTTP authentication difficult to implement? :) http://www.php.net/manual/en/features.http-auth.php Goba
On Fri, 4 Feb 2005, Gabor Hojtsy wrote:
The only missing ingredient is http authentication against drupal, that is Drupal knowing and speaking the www-authenticate and authorization http headers.
I think there is another Apache module that could be used for this. I will check this.
A native Drupal solution would probably be more interesting, but also more difficult to implement. ;^)
Are the ten lines you can use in PHP to have HTTP authentication difficult to implement? :)
No, but it is not only authentification that needs to be implemented if you want to have DAV without mod_dav. Cheers, Gerhard
The only missing ingredient is http authentication against drupal, that is Drupal knowing and speaking the www-authenticate and authorization http headers.
I think there is another Apache module that could be used for this. I will check this.
A native Drupal solution would probably be more interesting, but also more difficult to implement. ;^)
Are the ten lines you can use in PHP to have HTTP authentication difficult to implement? :)
No, but it is not only authentification that needs to be implemented if you want to have DAV without mod_dav.
Well, sure. I was confused by yourself replying on the "the only missing ingredient is http authentication against drupal..." statement. Goba
On Fri, 4 Feb 2005, Gabor Hojtsy wrote:
Are the ten lines you can use in PHP to have HTTP authentication difficult to implement? :)
No, but it is not only authentification that needs to be implemented if you want to have DAV without mod_dav.
Well, sure. I was confused by yourself replying on the "the only missing ingredient is http authentication against drupal..." statement.
*g* It should be easy to use mod_auth_mysql to quthenticate against a Drupal DB: http://modauthmysql.sourceforge.net/CONFIGURE It could even be possible to use some kind of group setup if you should have on. Cheers, Gerhard
Are the ten lines you can use in PHP to have HTTP authentication difficult to implement? :)
http://www.php.net/manual/en/features.http-auth.php Exactly, not at all. I think the best way to do it is at the end of bootstrap, after the session code has passed.
My idea roughly is long the lines: * if (!isset($_SERVER['PHP_AUTH_USER'])) { header('WWW-Authenticate: Basic realm="My drupal site(may be in subdirectory)"'); header('HTTP/1.0 401 Unauthorized'); echo 'Text to send if user hits Cancel button'; exit; } else { verify the username:password - ala user_login(); } This will mean that you end up with a valid $user. * possibly digest authentication as well I'll be doing that this weekend, I need to test authenticated RSS feeds powered by drupal. I will not be online this weekend, but will post a patch on Monday to demo the idea. I don't think it is something major anyway (the http auth bit) ---- webDAV is an extension to http, sort of I prefer calling that a special kind of XML based RPC, because most of the extensions are actually XML encoded messages. I think there was an implemenation of webDAV for PHP. I am not sure which features, and what level of webDAV are worth it in Drupal's case. upload, version control, locking? Cheers, Vlado
On 2/4/05 12:52 PM, Vladimir Zlatanov wrote:
Are the ten lines you can use in PHP to have HTTP authentication difficult to implement? :)
Exactly, not at all. I think the best way to do it is at the end of bootstrap, after the session code has passed.
My idea roughly is long the lines: * if (!isset($_SERVER['PHP_AUTH_USER'])) { header('WWW-Authenticate: Basic realm="My drupal site(may be in subdirectory)"'); header('HTTP/1.0 401 Unauthorized'); echo 'Text to send if user hits Cancel button'; exit; } else { verify the username:password - ala user_login();
you're gonna want to use user_authenticate() instead, but right idea.
}
This will mean that you end up with a valid $user.
* possibly digest authentication as well
I'll be doing that this weekend, I need to test authenticated RSS feeds powered by drupal.
I will not be online this weekend, but will post a patch on Monday to demo the idea. I don't think it is something major anyway (the http auth bit)
would be good for RSS readers too, methinks.
---- webDAV is an extension to http, sort of
I prefer calling that a special kind of XML based RPC, because most of the extensions are actually XML encoded messages.
But it's not actually "RPC" in a traditional sense. But, I think I see what you're saying. It is an extension to HTTP though, in the sense that they've added some additional "actions" (i.e. beyond GET / POST / PUT), such as PROPLIST, MKCOL, etc.
I think there was an implemenation of webDAV for PHP. I am not sure which features, and what level of webDAV are worth it in Drupal's case. upload, version control, locking?
Yeah, ultimately a full delta-v implementation would be sweet, but for now basic upload sounds like it would make lots of folks happy. The main webdav implementation for php I know of is the pear package: http://pear.php.net/package/HTTP_WebDAV_Server which is still labeled as "beta". I'm sure there are others though. -- James Walker :: http://walkah.net/
On 2/4/05 6:50 AM, Vladimir Zlatanov wrote:
If I read all this stuff right, you will now be able to modify Drupal's files through webDAV. While this is probably interesting I think that modifying and uploading files to Drupal through webDAV would be more interesting. Eg image module would have an webDAV enabled upload directory and retrieve uloaded files from there.
Indeed, but probably it would be better to implement a webdav(ish) hook, webdav is a kind of file/version control oriented RPC. Drupal does have the nessesary igradients to be able to implement it - XML parser, php knows about post, put, whatever http requests, we have the example of the BlogApi, Webdav is not too different.
well, almost. XML-PPC (which blogapi uses) happens entirely via POST, and nothing special as far as PHP configuration. webdav, on the other hand, defines some extensions to standard HTTP, thus you need the "allow_webdav_methods" which only showed up in 4.3.2. for more info see: http://ca3.php.net/manual/en/ini.sect.data-handling.php That said, webdav would be a cool extension - bulk image/file uploads, iCal publishing, etc etc would all be possible over webdav. -- James Walker :: http://walkah.net/
On 2/4/05 8:35 AM, James Walker wrote:
well, almost. XML-PPC (which blogapi uses) happens entirely via POST,
That's "XML-RPC", of course. time for coffee. *sigh* -- James Walker :: http://walkah.net/
James Walker wrote:
That said, webdav would be a cool extension ... iCal publishing, etc etc would all be possible over webdav.
Yes! I would kill to be able to easily integrate iCals on my Drupal site (or sites) - it would be better than any 'event' type module I've seen to this point. andre
Gerhard Killesreiter wrote:
If I read all this stuff right, you will now be able to modify Drupal's files through webDAV. While this is probably interesting I think that modifying and uploading files to Drupal through webDAV would be more interesting. Eg image module would have an webDAV enabled upload directory and retrieve uloaded files from there.
That would be most interesting and useful to me -- and others who have hosts like mine. My primary hosting company only allows access to files via WebDAV; there is no FTP and no shell. That means it is a problem to have Drupal have upload directories; they have to be created writable by everyone, since the web server runs as a different UID than each WebDAV user (e.g. the site owner). Having "open" directories like that is not very secure or desirable. But if Drupal could use my WebDAV credentials and do WebDAV uploads, all would be solved. My host uses mod_dav with Apache. -- Chris Johnson
Note: Using webdav without SSL is probably a security risk...
More than standard http?
The SSL encryption avoids the transmission of cleartext passwords.
Add this line to .htaccess just befor the RewriteRule line(s): RewriteCond %{REQUEST_METHOD} !(^PUT$|^DELETE$|^PROPFIND$)
I think this is the key issue.
Yes. I meanwhile changed it to RewriteCond %{REQUEST_METHOD} (^GET$|^HEAD$|^POST$) This would catch the commonly used HTTP methods instead of just a few webdav methods (implemented by mod_dav are OPTIONS, DELETE, PROPFIND, PROPPATCH, COPY, MOVE, LOCK, UNLOCK).
If I read all this stuff right, you will now be able to modify Drupal's files through webDAV.
As James said that would be cool;) Cheers, Karsten
On Mon, 7 Feb 2005, [ISO-8859-1] Karsten M�ller wrote:
Note: Using webdav without SSL is probably a security risk...
More than standard http?
The SSL encryption avoids the transmission of cleartext passwords.
Yes, but that is the same with standard http.
Add this line to .htaccess just befor the RewriteRule line(s): RewriteCond %{REQUEST_METHOD} !(^PUT$|^DELETE$|^PROPFIND$)
I think this is the key issue.
Yes. I meanwhile changed it to RewriteCond %{REQUEST_METHOD} (^GET$|^HEAD$|^POST$)
This would catch the commonly used HTTP methods instead of just a few webdav methods (implemented by mod_dav are OPTIONS, DELETE, PROPFIND, PROPPATCH, COPY, MOVE, LOCK, UNLOCK).
Right, that is probably better.
If I read all this stuff right, you will now be able to modify Drupal's files through webDAV.
As James said that would be cool;)
Shouldn't that work for you? Ie couldn't you add some modules through webDAV? Cheers, Gerhard
participants (8)
-
Andre Molnar -
Chris Johnson -
Gabor Hojtsy -
Gerhard Killesreiter -
James Walker -
Karsten Müller -
Ross Kendall -
Vladimir Zlatanov