[GH-ISSUE #467] Anonymous user gets to see folders without permission #257

New Issue

zhus · 2026-04-08T16:51:32+03:00

zhus commented

2026-04-08 16:51:32 +03:00

Originally created by @rockstorm101 on GitHub (Oct 22, 2024).
Original GitHub issue: https://github.com/sigoden/dufs/issues/467

Problem

Did a quick test and found what I think is a bug. I've got the following folder configuration:

$ tree
.
├── home.txt
├── private
│   └── secret.txt
└── public
    └── public_data.txt

I run the following command to test:

$ docker run -v `pwd`:/data -p 5000:5000 --rm -it sigoden/dufs \
    /data -A \
    -a @/public:ro \
    -a user:pass@/private:rw \
    -a admmin:admin@/:rw

Accessing it via web browser I get what I was expecting, An anonymous user only gets to see the public folder:

However when accessing via Thunar (via webdav) without any login, I can see also the private folder.

I was expecting webdav access to be the same as browser and hide the private folder from anonymous users. If you need me to provide more debugging information please provide some guidance, I'm no expert.

Many thanks for this software, looks amazing.

Environment Information

Dufs version:

 $ docker images | grep dufs
 sigoden/dufs                 latest             b1cc1cc7e9b0   7 weeks ago    4.39MB

Browser/Webdav info: Firefox 131.0.3 (no idea how to look for the WebDAV version)
OS info: Debian Sid

Originally created by @rockstorm101 on GitHub (Oct 22, 2024). Original GitHub issue: https://github.com/sigoden/dufs/issues/467 **Problem** Did a quick test and found what I think is a bug. I've got the following folder configuration: ```bash $ tree . ├── home.txt ├── private │ └── secret.txt └── public └── public_data.txt ``` I run the following command to test: ```bash $ docker run -v `pwd`:/data -p 5000:5000 --rm -it sigoden/dufs \ /data -A \ -a @/public:ro \ -a user:pass@/private:rw \ -a admmin:admin@/:rw ``` Accessing it via web browser I get what I was expecting, An anonymous user only gets to see the public folder: ![browser_view](https://github.com/user-attachments/assets/2748f17f-aec0-41e9-80af-7dd278c556f2) However when accessing via Thunar (via webdav) without any login, I can see also the private folder. ![thunar_view](https://github.com/user-attachments/assets/02e97040-8c07-4038-b2f5-192141d63a25) I was expecting webdav access to be the same as browser and hide the private folder from anonymous users. If you need me to provide more debugging information please provide some guidance, I'm no expert. Many thanks for this software, looks amazing. **Environment Information** - Dufs version: ``` $ docker images | grep dufs sigoden/dufs latest b1cc1cc7e9b0 7 weeks ago 4.39MB ``` - Browser/Webdav info: Firefox 131.0.3 (no idea how to look for the WebDAV version) - OS info: Debian Sid

zhus closed this issue

2026-04-08 16:51:32 +03:00

zhus commented

2026-04-08 16:51:33 +03:00

@sigoden commented on GitHub (Oct 23, 2024):

similar to #263 #268 #338.

Webdav must be designed like this. see #229

This is because some webdav clients do not carry the Authorization header when listing files.

@sigoden commented on GitHub (Oct 23, 2024): similar to #263 #268 #338. Webdav must be designed like this. see #229 This is because some webdav clients do not carry the Authorization header when listing files.

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: sigoden/dufs#257