Cyberduck Mountain Duck CLI

#7139 closed defect (fixed)

Problems with WebDAV authorization handling

Reported by: billhuber01 Owned by: dkocher
Priority: normal Milestone: 4.3
Component: webdav Version: 4.2.1
Severity: normal Keywords: authorization
Cc: william.huber@… Architecture:
Platform: Windows 7

Description

There's some dysfunctional behavior in Cyberduck when paired with the WebDAV server provided with the Apache web server. Basically, the authorization handling in Cyberduck allows you to shoot yourself in the foot in various ways that are not intuitive.

Given the authorization scheme which we've implemented with our Apache web server, users can see all top-level folders even if they lack proper authorization to some of those folders. The problem is that if you can see a folder that you're not authorized to access, you might try to access it from Cyberduck either out of curiosity, due to a mistake, or some other reason. That's where the problem begins.

If a user accesses a folder that they aren't authorized to access, Cyberduck will present the user with a login screen even though you've already supplied credentials by opening the connection to the WebDAV server. If you supply the correct credentials for the login, the user gets a "Login failed" message and another opportunity to try and login again. When you eventually get tired of entering the correct credentials and still getting the login prompt, you can cancel out of the login prompt. But, at that point, you no longer have access to anything!! Every folder you try to access anew will give you an error in Cyberduck (the little red circle with the line in it). In short, you have no legitimate options once you've accessed a folder that you aren't authorized for.

In summary, Cyberduck displays folders (most notably, top-level folders) for which you have no authorization and if you try to access them, your Cyberduck session will largely be ruined. Your only choice at that point is to reconnect and try again to do what you intended. But even if you reconnect, you must be careful to access only folders for which you are authorized or the same problem will happen again. That's the dysfunction.

Cyberduck should clearly not show a login prompt as a response to a failed authorization. The login is about authentication and that has already occurred. Authorization is about a different point. I would have thought that the best (and most common approach) is to display only those file objects for which a user has proper authorization. But whatever the response is, the current operation in Cyberduck is inappropriate and certainly frustrating for users.

Change History (5)

comment:1 Changed on Mar 21, 2013 at 2:11:47 PM by dkocher

  • Milestone set to 4.3
  • Status changed from new to assigned

comment:2 in reply to: ↑ description Changed on Apr 5, 2013 at 6:12:46 PM by dkocher

Replying to billhuber01:

In summary, Cyberduck displays folders (most notably, top-level folders) for which you have no authorization and if you try to access them,

There is no way to detect this before trying to access the resource.

comment:3 in reply to: ↑ description Changed on Apr 5, 2013 at 6:14:13 PM by dkocher

Replying to billhuber01:

When you eventually get tired of entering the correct credentials and still getting the login prompt, you can cancel out of the login prompt. But, at that point, you no longer have access to anything!! Every folder you try to access anew will give you an error in Cyberduck (the little red circle with the line in it). In short, you have no legitimate options once you've accessed a folder that you aren't authorized for.

That is clearly a bug. Will try to reproduce.

comment:4 Changed on Apr 8, 2013 at 5:37:49 PM by dkocher

  • Milestone changed from 4.4 to 4.3
  • Resolution set to fixed
  • Status changed from assigned to closed

Changes in authentication handler in r10820 will possibly fix this. Please reopen if still an issue with the current snapshot build.

comment:5 Changed on Apr 16, 2013 at 2:07:54 PM by dkocher

As this issue was fixed #7163 was opened as a consequence.

Note: See TracTickets for help on using tickets.
swiss made software