fix: 'modify:false' is respected

README.md

@@ -22,6 +22,7 @@ tls: false
 cert: cert.pem
 key: key.pem
 prefix: /
+debug: false
 
 # Default user settings (will be merged)
 scope: .

cmd/config.go

@@ -190,6 +190,7 @@ func readConfig(flags *pflag.FlagSet) *lib.Config {
 				LockSystem: webdav.NewMemLS(),
 			},
 		},
+		Debug:   getOptB(flags, "debug"),
 		Auth:    getOptB(flags, "auth"),
 		NoSniff: getOptB(flags, "nosniff"),
 		Cors: lib.CorsCfg{

cmd/root.go

@@ -71,6 +71,9 @@ set WD_CERT.`,
 		}
 		loggerConfig := zap.NewProductionConfig()
 		loggerConfig.DisableCaller = true
+		if cfg.Debug {
+			loggerConfig.Level = zap.NewAtomicLevelAt(zap.DebugLevel)
+		}
 		loggerConfig.EncoderConfig.EncodeTime = zapcore.ISO8601TimeEncoder
 		loggerConfig.Encoding = cfg.LogFormat
 		logger, err := loggerConfig.Build()

lib/webdav.go

@@ -22,6 +22,7 @@ type CorsCfg struct {
 type Config struct {
 	*User
 	Auth      bool
+	Debug     bool
 	NoSniff   bool
 	Cors      CorsCfg
 	Users     map[string]*User
@@ -107,17 +108,14 @@ func (c *Config) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	}
 
 	// Checks for user permissions relatively to this PATH.
-	noModification := r.Method == "GET" ||
-		r.Method == "HEAD" ||
-		r.Method == "OPTIONS" ||
-		r.Method == "PROPFIND" ||
-		r.Method == "PUT" ||
-		r.Method == "LOCK" ||
-		r.Method == "UNLOCK" ||
-		r.Method == "MOVE" ||
-		r.Method == "DELETE"
-
-	if !u.Allowed(r.URL.Path, noModification) {
+	noModification := r.Method == "GET" || r.Method == "HEAD" ||
+		r.Method == "OPTIONS" || r.Method == "PROPFIND"
+
+	allowed := u.Allowed(r.URL.Path, noModification)
+
+	zap.L().Debug("allowed & method & path", zap.Bool("allowed", allowed), zap.String("method", r.Method), zap.String("path", r.URL.Path))
+
+	if !allowed {
 		w.WriteHeader(http.StatusForbidden)
 		return
 	}