WebDAV for Drupal

A modern WebDAV server module for Drupal 11, built on sabre/dav. Exposes Drupal-managed files over the HTTP-WebDAV protocol with:

• Two auth surfaces on the same /webdav/... prefix, dispatched by URL shape:
  • URL-token (default) — every /webdav/<uid>-<token>/<fid>/<filename> URL embeds a per-file HMAC token in the path, derived from a per-user master secret. Self-authenticating, no Basic challenges, no session cookies. Logout revokes the master, invalidating every active WebDAV URL for the user. Per-file revocation lever (drush webdav:revoke-file) invalidates URLs for a single file without affecting others. Authenticates the Drupal session — works for users signed in via external identity providers (OpenID Connect, SAML, CAS, LDAP) with no local password required.
  • HTTP Basic (opt-in via webdav.settings:basic_auth_enabled, HTTPS only) on /webdav/<fid>/<filename> URLs — for mount-style clients (Cyberduck, Mac Finder, rclone) that can't handle the libreoffice: URL-scheme handoff. See authentication.md for the trade-off rationale.
• Per-resource access control resolved through Drupal's canonical file-download chain (hook_file_download), so existing entity-access rules apply uniformly to WebDAV and to /system/files/* downloads.
• Compatibility with the standard desktop WebDAV clients (LibreOffice, Finder, cadaver) on the full verb set (OPTIONS, PROPFIND, LOCK, GET, PUT, UNLOCK, MOVE, COPY, DELETE).
• Optional submodules: webdav_key (encrypt master secrets at rest with drupal/key) and webdav_lock_pdo (persist locks in the database so they survive container restarts).

Status

Pre-alpha — under active development. Not production-ready. The namespace webdav is being requested via the drupal.org takeover process; once granted, this codebase will move to https://git.drupalcode.org/project/webdav.

Requirements

• Drupal 11
• PHP 8.2+
• sabre/dav 4.7+ (installed automatically via composer)

Installation

composer require drupal/webdav
drush en webdav

After enabling, visit /admin/config/services/webdav to tune the master-secret TTL (default derives from your session GC window).

Guides

• Authentication & access control — URL shape, per-user HMAC chain, the three revocation levers (per-user / per-entity / per-file), permissions, threat model.
• Encryption at rest — optional webdav_key submodule that encrypts master secrets with a key managed by drupal/key.
• Lock storage — optional webdav_lock_pdo submodule that moves WebDAV lock state from the default tempdir-file to the database so locks survive container restarts. Includes the seam for plugging in custom backends.
• Opening remote files in LibreOffice on macOS — AppleScript URL handler + Info.plist recipe for one-click "Open in LibreOffice" buttons.
• Opening remote files in LibreOffice on Windows — PowerShell helper + registry .reg recipe, same flow as the macOS guide.