Tickets :: [#6778] Unauthenticated access to public calendar subscription URL

6.0.0-beta1

7/27/25

Summary	Unauthenticated access to public calendar subscription URL
Queue	Kronolith
Queue Version	2.2
Type	Bug
State	Duplicate
Priority	1. Low
Owners	Horde Developers (at)
Requester	it-horde (at) isoc (dot) org
Created	05/29/2008 (6268 days ago)
Due
Updated	11/09/2008 (6104 days ago)
Assigned	05/31/2008 (6266 days ago)
Resolved	11/09/2008 (6104 days ago)
Github Issue Link
Github Pull Request
Milestone
Patch	No

11/09/2008 11:41:47 PM	Chuck Hagenbuch	Comment #8 State ⇒ Duplicate	Reply to this comment
Duplicate of #7514

09/19/2008 12:55:15 AM	paulcarnie (at) nospammail (dot) net	Comment #7 New Attachment: attend.php	Reply to this comment
Hi, I am doing a similar thing and have this going. I even modified the attend.php to spit out the current status of all attendees so I keep everyone informed. I have multiple external people with various email and calendar apps, and I won't blame Kronolith for what is a very messy business. Keep up the good work. Paul

08/21/2008 10:22:34 PM	Jan Schneider	Comment #6 Priority ⇒ 1. Low Milestone ⇒	Reply to this comment
We have no means to check whether a webdav resource requires authentication or not at the moment. We don't even know in the applications whether a resource doesn't exist at all, or is just hidden because of missing permissions. A solution might be to first try the API calls unauthenticated, and request authentication if it fails. Not sure if this is possible with the HTTP_WebDAV_Server infrastructure though.

07/06/2008 05:15:30 PM	Jan Schneider	Comment #5 Milestone ⇒ 2.2.1	Reply to this comment
Hmpf

07/06/2008 05:14:35 PM	Jan Schneider	Milestone ⇒ 2.2.2

07/06/2008 05:14:23 PM	Jan Schneider	Milestone ⇒ 2.2.1

05/31/2008 01:28:49 AM	Chuck Hagenbuch	State ⇒ Assigned Assigned to Horde Developers

05/30/2008 08:28:37 AM	it-horde (at) isoc (dot) org	Comment #4	Reply to this comment
I've now reproduced the issue on a second, clean install of Horde + Kronolith. The permission system works fine for the calendar Display URL. However, accessing ANY of the ical Subscription URLs always causes a "Horde WebDAV" prompt for authentication - even if the calendar (and Kronolith) is set up with Guest READ and SHOW rights. It looks like WebDAV is not accepting anonymous GETs. Another issue also shows up: - an anonymous user loads one of the calendar Display URLs - calendars are listed according to permissions - user clicks one of the 'i' info icons - the popup info box is displayed, but shows only a Close button - the calendar Subscription URL is not shown I need to be able to allow users to create public calendars that can be subscribed to without the need for any authentication.

05/29/2008 04:53:38 PM	it-horde (at) isoc (dot) org	Comment #3	Reply to this comment
You have to explicitly allow guest access to Kronolith in the Horde Administration -> Permissions interface. Yes, Guest access is set there too.

05/29/2008 04:35:23 PM	Chuck Hagenbuch	Comment #2 State ⇒ Not A Bug	Reply to this comment
You have to explicitly allow guest access to Kronolith in the Horde Administration -> Permissions interface.

05/29/2008 04:24:47 PM	it-horde (at) isoc (dot) org	Comment #1 Priority ⇒ 2. Medium State ⇒ Unconfirmed Patch ⇒ No Milestone ⇒ Queue ⇒ Kronolith Summary ⇒ Unauthenticated access to public calendar subscription URL Type ⇒ Bug	Reply to this comment
Issue with public calendars: - Create a calendar - Set calendar permission to SHOW and READ for GUEST - Go to 'Manage Calendars' - Calendar shows up for unauthenticated user when selecting 'Display URL' - PROBLEM - Subscribe to 'Subscription URL' with calendar client (tested with Sunbird) - Client always prompts for username and password (no anonymous, guest read access possible). Should allow read only access without requesting authentication. - Can also be reproduced by accessing subscription URL via browser