Tickets :: [#6778] Unauthenticated access to public calendar subscription URL

6.0.0-RC7

6/22/26

History
Attachments
Comment
Watch
Download

Summary	Unauthenticated access to public calendar subscription URL
Queue	Kronolith
Queue Version	2.2
Type	Bug
State	Duplicate
Priority	1. Low
Owners	Horde Developers (at)
Requester	it-horde (at) isoc (dot) org
Created	5/29/08 (6598 days ago)
Due
Updated	11/9/08 (6434 days ago)
Assigned	5/31/08 (6596 days ago)
Resolved	11/9/08 (6434 days ago)
Github Issue Link
Github Pull Request
Milestone
Patch	No

4711	Chuck Hagenbuch	Comment #8 State ⇒ Duplicate	Reply to this comment
Duplicate of #7514

1512	paulcarnie (at) nospammail (dot) net	Comment #7 New Attachment: attend.php	Reply to this comment
Hi, I am doing a similar thing and have this going. I even modified the attend.php to spit out the current status of all attendees so I keep everyone informed. I have multiple external people with various email and calendar apps, and I won't blame Kronolith for what is a very messy business. Keep up the good work. Paul

3410	Jan Schneider	Comment #6 Priority ⇒ 1. Low Milestone ⇒	Reply to this comment
We have no means to check whether a webdav resource requires authentication or not at the moment. We don't even know in the applications whether a resource doesn't exist at all, or is just hidden because of missing permissions. A solution might be to first try the API calls unauthenticated, and request authentication if it fails. Not sure if this is possible with the HTTP_WebDAV_Server infrastructure though.

305	Jan Schneider	Comment #5 Milestone ⇒ 2.2.1	Reply to this comment
Hmpf

355	Jan Schneider	Milestone ⇒ 2.2.2

235	Jan Schneider	Milestone ⇒ 2.2.1

491	Chuck Hagenbuch	State ⇒ Assigned Assigned to Horde Developers

378	it-horde (at) isoc (dot) org	Comment #4	Reply to this comment
I've now reproduced the issue on a second, clean install of Horde + Kronolith. The permission system works fine for the calendar Display URL. However, accessing ANY of the ical Subscription URLs always causes a "Horde WebDAV" prompt for authentication - even if the calendar (and Kronolith) is set up with Guest READ and SHOW rights. It looks like WebDAV is not accepting anonymous GETs. Another issue also shows up: - an anonymous user loads one of the calendar Display URLs - calendars are listed according to permissions - user clicks one of the 'i' info icons - the popup info box is displayed, but shows only a Close button - the calendar Subscription URL is not shown I need to be able to allow users to create public calendars that can be subscribed to without the need for any authentication.

384	it-horde (at) isoc (dot) org	Comment #3	Reply to this comment
You have to explicitly allow guest access to Kronolith in the Horde Administration -> Permissions interface. Yes, Guest access is set there too.

234	Chuck Hagenbuch	Comment #2 State ⇒ Not A Bug	Reply to this comment
You have to explicitly allow guest access to Kronolith in the Horde Administration -> Permissions interface.

474	it-horde (at) isoc (dot) org	Comment #1 Priority ⇒ 2. Medium State ⇒ Unconfirmed Patch ⇒ No Milestone ⇒ Queue ⇒ Kronolith Summary ⇒ Unauthenticated access to public calendar subscription URL Type ⇒ Bug	Reply to this comment
Issue with public calendars: - Create a calendar - Set calendar permission to SHOW and READ for GUEST - Go to 'Manage Calendars' - Calendar shows up for unauthenticated user when selecting 'Display URL' - PROBLEM - Subscribe to 'Subscription URL' with calendar client (tested with Sunbird) - Client always prompts for username and password (no anonymous, guest read access possible). Should allow read only access without requesting authentication. - Can also be reproduced by accessing subscription URL via browser