Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Problems with WebDAV authorization handling #7139

Closed
cyberduck opened this issue Mar 21, 2013 · 4 comments
Closed

Problems with WebDAV authorization handling #7139

cyberduck opened this issue Mar 21, 2013 · 4 comments

Comments

@cyberduck
Copy link
Collaborator

@cyberduck cyberduck commented Mar 21, 2013

daf40e3 created the issue

There's some dysfunctional behavior in Cyberduck when paired with the WebDAV server provided with the Apache web server. Basically, the authorization handling in Cyberduck allows you to shoot yourself in the foot in various ways that are not intuitive.

Given the authorization scheme which we've implemented with our Apache web server, users can see all top-level folders even if they lack proper authorization to some of those folders. The problem is that if you can see a folder that you're not authorized to access, you might try to access it from Cyberduck either out of curiosity, due to a mistake, or some other reason. That's where the problem begins.

If a user accesses a folder that they aren't authorized to access, Cyberduck will present the user with a login screen even though you've already supplied credentials by opening the connection to the WebDAV server. If you supply the correct credentials for the login, the user gets a "Login failed" message and another opportunity to try and login again. When you eventually get tired of entering the correct credentials and still getting the login prompt, you can cancel out of the login prompt. But, at that point, you no longer have access to anything!! Every folder you try to access anew will give you an error in Cyberduck (the little red circle with the line in it). In short, you have no legitimate options once you've accessed a folder that you aren't authorized for.

In summary, Cyberduck displays folders (most notably, top-level folders) for which you have no authorization and if you try to access them, your Cyberduck session will largely be ruined. Your only choice at that point is to reconnect and try again to do what you intended. But even if you reconnect, you must be careful to access only folders for which you are authorized or the same problem will happen again. That's the dysfunction.

Cyberduck should clearly not show a login prompt as a response to a failed authorization. The login is about authentication and that has already occurred. Authorization is about a different point. I would have thought that the best (and most common approach) is to display only those file objects for which a user has proper authorization. But whatever the response is, the current operation in Cyberduck is inappropriate and certainly frustrating for users.

@cyberduck
Copy link
Collaborator Author

@cyberduck cyberduck commented Apr 5, 2013

@dkocher commented

Replying to [7139 billhuber01]:

In summary, Cyberduck displays folders (most notably, top-level folders) for which you have no authorization and if you try to access them,

There is no way to detect this before trying to access the resource.

Loading

@cyberduck
Copy link
Collaborator Author

@cyberduck cyberduck commented Apr 5, 2013

@dkocher commented

Replying to [7139 billhuber01]:

When you eventually get tired of entering the correct credentials and still getting the login prompt, you can cancel out of the login prompt. But, at that point, you no longer have access to anything!! Every folder you try to access anew will give you an error in Cyberduck (the little red circle with the line in it). In short, you have no legitimate options once you've accessed a folder that you aren't authorized for.

That is clearly a bug. Will try to reproduce.

Loading

@cyberduck
Copy link
Collaborator Author

@cyberduck cyberduck commented Apr 8, 2013

@dkocher commented

Changes in authentication handler in 2423aa6 will possibly fix this. Please reopen if still an issue with the current snapshot build.

Loading

@cyberduck cyberduck closed this Apr 8, 2013
@cyberduck
Copy link
Collaborator Author

@cyberduck cyberduck commented Apr 16, 2013

@dkocher commented

As this issue was fixed #7163 was opened as a consequence.

Loading

@iterate-ch iterate-ch locked as resolved and limited conversation to collaborators Nov 26, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants