Drupal is a registered trademark of Dries Buytaert
cms 2.1.3 Update released for Drupal core (2.1.3)! drupal 10.5.11 Update released for Drupal core (10.5.11)! drupal 11.3.11 Update released for Drupal core (11.3.11)! drupal 11.2.13 Update released for Drupal core (11.2.13)! drupal 10.6.10 Update released for Drupal core (10.6.10)! cms 2.1.2 Update released for Drupal core (2.1.2)! drupal 11.1.10 Update released for Drupal core (11.1.10)! drupal 10.5.10 Update released for Drupal core (10.5.10)! drupal 10.4.10 Update released for Drupal core (10.4.10)! drupal 11.2.12 Update released for Drupal core (11.2.12)! drupal 11.3.10 Update released for Drupal core (11.3.10)! drupal 10.6.9 Update released for Drupal core (10.6.9)! drupal 10.6.8 Update released for Drupal core (10.6.8)! drupal 11.3.9 Update released for Drupal core (11.3.9)! drupal 11.3.8 Update released for Drupal core (11.3.8)! drupal 11.3.7 Update released for Drupal core (11.3.7)! drupal 11.2.11 Update released for Drupal core (11.2.11)! drupal 10.6.7 Update released for Drupal core (10.6.7)! drupal 10.5.9 Update released for Drupal core (10.5.9)! cms 2.1.1 Update released for Drupal core (2.1.1)!
← All modules

webdav

2 sites Security covered
View on drupal.org

WebDAV for Drupal exposes Drupal-managed files over the HTTP-WebDAV protocol so people can open and edit them directly in desktop applications (LibreOffice, Microsoft Office, the macOS Finder) while Drupal stays in charge of who may read or write each file. It is built on sabre/dav.

What it does

  • Edit files in place. Implements the full desktop verb set (OPTIONS, PROPFIND, LOCK, GET, PUT, UNLOCK, MOVE, COPY, DELETE), so a user opens a file from a link, edits it, and saves straight back to Drupal with no download-and-re-upload round trip.
  • Self-authenticating URLs. Each file link embeds a per-file token in its path, derived by HMAC from a per-user secret that never leaves the server. There is no Basic-auth challenge and no session cookie to carry. Because it authenticates the Drupal session rather than a password, it works for people signed in through an external identity provider (OpenID Connect, SAML, CAS, LDAP) with no local password.
  • Optional HTTP Basic auth. An opt-in, HTTPS-only Basic-auth surface covers mount-style clients (Cyberduck, the macOS Finder, rclone) that expect one credential for a whole mount rather than a per-file link.
  • Access control through Drupal. Every request runs through Drupal's canonical file-download chain (hook_file_download), so the entity-access rules already governing a file apply unchanged to WebDAV. Only files on the private filesystem are served; public files are refused.
  • Three independent revocation levers. Log a user out to invalidate all of their links, bump a single file's counter (drush webdav:revoke-file) to invalidate just that file everywhere, or change entity access to deny by content. Each lever acts in its own scope.
  • Read-only or read-write per role. Two permissions, "access webdav" and "modify webdav", split browsing from saving. Grant only the first and a role can open documents but every save returns 403.
  • Lock management. Standard WebDAV LOCK and UNLOCK, plus an administrative screen to inspect and force-release stale locks left by a crashed client.
  • Format-preserving saves. A save whose content type does not match the stored file's type is rejected, which catches the accidental Save As that would otherwise desynchronize Drupal's recorded MIME type from the bytes on disk.
  • Event hooks for integrators. Every WebDAV verb dispatches an event other modules can subscribe to (for example, to write a tamper-evident audit trail) without this module depending on any particular logging stack.

Modules

  • WebDAV - the server itself, all of the above.
  • WebDAV Key (webdav_key) - encrypts the per-user master secrets at rest with a key managed by the Key module, so a database dump alone cannot mint links.
  • WebDAV Lock PDO (webdav_lock_pdo) - persists WebDAV locks in the database so they survive container restarts, instead of the default temporary-file store.

Requirements

  • Drupal 11
  • PHP 8.2 or newer
  • sabre/dav 4.7 or newer, installed automatically through Composer

Status

WebDAV is under active development and is not yet recommended for production sites. HTTPS is mandatory in every deployment: the per-file token travels in the URL path, so the transport must be encrypted.

Note

It is a complete, ground-up rewrite that replaces the previous WebDAV module published under this namespace, which targeted Drupal 7 (end of life January 2025), had seen no releases since 2017, and shipped only a skeleton of hooks with no working server behind them. None of that code is carried forward and there is no upgrade path from it; install this as a new module.

Activity

Total releases
3
First release
Jun 2026
Latest release
5 days ago
Release cadence
0 days
Stability
0% stable

Release Timeline

Releases

Version Type Release date
1.0.0-alpha2 Pre-release Jun 8, 2026
1.0.0-alpha1 Pre-release Jun 8, 2026
1.x-dev Dev Jun 8, 2026