diff --git a/config/config.go b/config/config.go
index 2f4e469f..c5f0145e 100644
--- a/config/config.go
+++ b/config/config.go
@@ -122,8 +122,6 @@ func Parse(c *caddy.Controller) ([]Config, error) {
 					FileSystem: webdav.Dir(cfg.PathScope),
 					LockSystem: webdav.NewMemLS(),
 				}
-
-				// TODO
 			case "show":
 				if !c.NextArg() {
 					return configs, c.ArgErr()
diff --git a/filemanager.go b/filemanager.go
index 2b10bf22..70f09069 100644
--- a/filemanager.go
+++ b/filemanager.go
@@ -58,6 +58,23 @@ func (f FileManager) ServeHTTP(w http.ResponseWriter, r *http.Request) (int, err
 			}
 
 			if c.WebDav && strings.HasPrefix(r.URL.Path, c.WebDavURL) {
+				url := strings.TrimPrefix(r.URL.Path, c.WebDavURL)
+
+				if !user.Allowed(url) {
+					return http.StatusForbidden, nil
+				}
+
+				switch r.Method {
+				case "PROPPATCH", "MOVE", "PATCH", "PUT", "DELETE":
+					if !user.AllowEdit {
+						return http.StatusForbidden, nil
+					}
+				case "MKCOL", "COPY":
+					if !user.AllowNew {
+						return http.StatusForbidden, nil
+					}
+				}
+
 				c.WebDavHandler.ServeHTTP(w, r)
 				return 0, nil
 			}