In the oacs-dav package versions prior to 0.7d webdav method filters can be enabled on the site page root for filesystem access. In the default configuration this will enable unauthenticated access to any files available to the user the AOLserver process is running as.
This has been fixed in the latest version 0.7d and is CVS.
An additional parameter (defaulting to FALSE) is added to enable access to filesystem files via webdav.
To temporarily fix this you can change a setting in the config.tcl AOLserver configuration file:
in
ns/server/${server}/tdav/shares/share1 section
change
ns_param uri "/*"
to
ns_param uri "/dav/*"
which will only allow access through the OpenACS registered authentication filters.
