Closed Bug 391383 Opened 17 years ago Closed 17 years ago

HTTP authentication doesn't work for world-readable, write-restricted ICS shares

Categories

(Calendar :: Provider: ICS/WebDAV, defect)

Product:
Calendar
Component:
Provider: ICS/WebDAV
Version:
Lightning 0.5
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
VERIFIED DUPLICATE of bug 387559

People

(Reporter: toby, Unassigned)

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6
Build Identifier: Lightning 2007062404

In Apache, it is possible to set a WebDAV share as world-readable (e.g. no auth required) but require auth for write operations using a config such as:

   <Location /dav>
      DAV on
      Options None
      <Limit PUT POST DELETE PROPFIND PROPPATCH MKCOL COPY MOVE LOCK UNLOCK>
         Require valid-user
      </Limit>
   </Location>

In this case, a GET is not restricted, but PUT, POST, etc. are.

Lightning doesn't handle this correctly, as it apparently assumes that because the GET didn't require auth, neither will the PUT, but that is not always a valid assumption. My Apache logs indicate that the GET was successful (200), but a 401 (authentication required) was returned for the PUT request and Lightning never attempted to ask for or send my credentials:

example.com my.hostname.com - - [06/Aug/2007:15:53:53 -0400] "GET /dav/ical/MyCalendar.ics HTTP/1.1" 200 975 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.5) Gecko/20070716 Thunderbird/2.0.0.5"
example.com my.hostname.com - - [06/Aug/2007:15:53:53 -0400] "PUT /dav/ical/MyCalendar.ics HTTP/1.1" 401 401 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.5) Gecko/20070716 Thunderbird/2.0.0.5"


Reproducible: Always

Steps to Reproduce:
1. Configure Apache WebDAV to allow unauthenticated GET, but require auth on PUT/POST.
2. Attempt to write to this calendar using Lightning 0.5, by either creating a new event or modifying an existing one.

Actual Results:  
Lightning never asks for or sends auth, even though Apache returned a 401. Resource is not updated, even though Lightning shows the item as updated, and never raises an error.

Expected Results:  
Lightning should prompt for auth (or send it if already stored) in order to update the WebDAV resource.
set version to Lightning 0.5
Version: unspecified → Lightning 0.5
Status: UNCONFIRMED → RESOLVED
Closed: 17 years ago
Resolution: --- → DUPLICATE
Sorry, I tried searching whether this already was filed but I guess I wasn't looking in the right place. I'll keep an eye on the linked bug and help test.
Status: RESOLVED → VERIFIED
Bug 387559 is fixed now. I'd like you to retest with a Sunbird or Lightning 0.7pre (20070912) or newer build if your issue is entirely fixed now.
Thanks a lot Stefan, I was keeping an eye on it and I'll definitely test as soon as I can get a profile set up.
You need to log in before you can comment on or make changes to this bug.