460438 - Error reading calendar (DAV_NOT_DAV) when using Chandler Server tickets

Status: VERIFIED DUPLICATE of bug 447824

(Calendar :: Provider: CalDAV, defect)

Description

[Benjamin Zeiss]

User-Agent:       Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; de; rv:1.9.0.3) Gecko/2008092414 Firefox/3.0.3
Build Identifier: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.18pre) Gecko/20080917 Sunbird/0.9

It seems that a problem has been introduced with Lightning/Sunbird 0.9 that according to the Chandler guys had been fixed already. The problem does not appear in Lightning/Sunbird 0.8. The problem is as follows: in Chandler Server, a user can share his calendars by creating ticket urls that contain read, read/write, and/or freebusy rights.

Such an URL would like something like this:

https://serverurl/chandler/dav/username/9c0528ec-8eaf-11dc-aa7e-cf301e3ae4cb?ticket=xmw27gtw20

Now, when i add a caldav URL like this to 0.8, it works just as expected. Version 0.9 works as long as i try to access this url with the user who owns the calendar. If any other user tries to access this shared calendar, Lightning/Sunbird prompts for a username and password. No matter what i enter here, the access to the calendar is denied. I contacted the Chandler mailing list regarding this, and one of the Chandler developers explained that there used to be a problem in older versions of Lightning/Sunbird that had problems with the ticket addition "?ticket=somecode" which would be simply omitted. This was supposed to be fixed in version 0.8 as far as he recalled. The remaining URL without the ticket, i.e. "https://serverurl/chandler/dav/username/9c0528ec-8eaf-11dc-aa7e-cf301e3ae4cb" requires the correct username and password of the owner to be accessed. So the theory that Lightning/Sunbird simply throws away the rest of the URL with the ticket information does seem to make some sense to me. If this problem really had been fixed in 0.8, it seems to be reintroduced in 0.9.

Since this a serious problem that prohibits an update to 0.9 for all Chandler Server users, i sincerely hope that this will be fixed still in the 0.9 version line.

---
The Error Console reports the following:

Warning: There has been an error reading data for calendar: calname.  However, this error is believed to be minor, so the program will attempt to continue. Error code: DAV_NOT_DAV. Description: The resource at https://someurl/chandler/dav/username/9c0528ec-8eaf-11dc-aa7e-cf301e3ae4cb?ticket=xmw27gtw20 is either not a DAV collection or not available

Warning: There has been an error reading data for calendar: calname.  However, this error is believed to be minor, so the program will attempt to continue. Error code: READ_FAILED. Description: 

Reproducible: Always

Steps to Reproduce:
1. Use Chandler Server
2. Create a shared calendar by generating a ticket
3. Try to access the ticketed shared calendar via the ticket url with a different user than the owner.
Actual Results:  
User/password prompt. Access to the calendar is denied to any user who is not the owner.

Expected Results:  
No user/password prompt for any user since the URL is not protected when using the ticket.

Comment 1

[Stefan Sitter [:ssitter]]

Bug 447824 Comment #12 and following talks about ticket-based auth too.