6.0.0-alpha14
7/3/25

[#6778] Unauthenticated access to public calendar subscription URL
Summary Unauthenticated access to public calendar subscription URL
Queue Kronolith
Queue Version 2.2
Type Bug
State Duplicate
Priority 1. Low
Owners Horde Developers (at)
Requester it-horde (at) isoc (dot) org
Created 05/29/2008 (6244 days ago)
Due
Updated 11/09/2008 (6080 days ago)
Assigned 05/31/2008 (6242 days ago)
Resolved 11/09/2008 (6080 days ago)
Github Issue Link
Github Pull Request
Milestone
Patch No

History
11/09/2008 11:41:47 PM Chuck Hagenbuch Comment #8
State ⇒ Duplicate
Reply to this comment
Duplicate of #7514
09/19/2008 12:55:15 AM paulcarnie (at) nospammail (dot) net Comment #7
New Attachment: attend.php Download
Reply to this comment
Hi, I am doing a similar thing and have this going.  I even modified 
the attend.php to spit out the current status of all attendees so I 
keep everyone informed.  I have multiple external people with various 
email and calendar apps, and I won't blame Kronolith for what is a 
very messy business.



Keep up the good work.



Paul
08/21/2008 10:22:34 PM Jan Schneider Comment #6
Priority ⇒ 1. Low
Milestone ⇒
Reply to this comment
We have no means to check whether a webdav resource requires 
authentication or not at the moment. We don't even know in the 
applications whether a resource doesn't exist at all, or is just 
hidden because of missing permissions.

A solution might be to first try the API calls unauthenticated, and 
request authentication if it fails. Not sure if this is possible with 
the HTTP_WebDAV_Server infrastructure though.
07/06/2008 05:15:30 PM Jan Schneider Comment #5
Milestone ⇒ 2.2.1
Reply to this comment
Hmpf
07/06/2008 05:14:35 PM Jan Schneider Milestone ⇒ 2.2.2
 
07/06/2008 05:14:23 PM Jan Schneider Milestone ⇒ 2.2.1
 
05/31/2008 01:28:49 AM Chuck Hagenbuch State ⇒ Assigned
Assigned to Horde DevelopersHorde Developers
 
05/30/2008 08:28:37 AM it-horde (at) isoc (dot) org Comment #4 Reply to this comment
I've now reproduced the issue on a second, clean install of Horde + Kronolith.



The permission system works fine for the calendar Display URL. 
However, accessing ANY of the ical Subscription URLs always causes a 
"Horde WebDAV" prompt for authentication - even if the calendar (and 
Kronolith) is set up with Guest READ and SHOW rights. It looks like 
WebDAV is not accepting anonymous GETs.



Another issue also shows up:

- an anonymous user loads one of the calendar Display URLs

- calendars are listed according to permissions

- user clicks one of the 'i' info icons

- the popup info box is displayed, but shows only a Close button - the 
calendar Subscription URL is not shown



I need to be able to allow users to create public calendars that can 
be subscribed to without the need for any authentication.
05/29/2008 04:53:38 PM it-horde (at) isoc (dot) org Comment #3 Reply to this comment
You have to explicitly allow guest access to Kronolith in the Horde
Administration -> Permissions interface.
Yes, Guest access is set there too.
05/29/2008 04:35:23 PM Chuck Hagenbuch Comment #2
State ⇒ Not A Bug
Reply to this comment
You have to explicitly allow guest access to Kronolith in the Horde 
Administration -> Permissions interface.
05/29/2008 04:24:47 PM it-horde (at) isoc (dot) org Comment #1
Priority ⇒ 2. Medium
State ⇒ Unconfirmed
Patch ⇒ No
Milestone ⇒
Queue ⇒ Kronolith
Summary ⇒ Unauthenticated access to public calendar subscription URL
Type ⇒ Bug
Reply to this comment
Issue with public calendars:



- Create a calendar

- Set calendar permission to SHOW and READ for GUEST

- Go to 'Manage Calendars'

- Calendar shows up for unauthenticated user when selecting 'Display URL'



- PROBLEM

- Subscribe to 'Subscription URL' with calendar client (tested with Sunbird)

- Client always prompts for username and password (no anonymous, guest 
read access possible).  Should allow read only access without 
requesting authentication.

- Can also be reproduced by accessing subscription URL via browser


Saved Queries