[Tickets #6746] Re: ical webdav and realms

bugs at horde.org bugs at horde.org
Fri Jun 6 13:07:04 UTC 2008 

DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.

Ticket URL: http://bugs.horde.org/ticket/6746
-----------------------------------------------------------------------
 Ticket             | 6746
 Updated By         | adrieder at sbox.tugraz.at
 Summary            | ical webdav and realms
 Queue              | Kronolith
 Version            | HEAD
 Type               | Bug
 State              | Assigned
 Priority           | 1. Low
 Milestone          |
 Patch              |
 Owners             | Horde Developers
-----------------------------------------------------------------------


adrieder at sbox.tugraz.at (2008-06-06 09:07) wrote:

I think I found the problem. But it is complicated for me to explain, I'll
try anyway and hope that someone can follow my potentially confusing words,
sorry for that:

When RPC webdav does "check_auth", first a Horde Auth instance of
Auth_application is created and the Auth::authenticate method stores the
credentials with the plain $userId (no realm) then the imp api method
"authenticate" is called by (Auth_application) "_authenticate". The imp api
method "authenticate" calls createSession from imp/lib/Session.php where
the realm gets added to the userId.  $_SESSION['imp']['user'] and
$_SESSION['imp']['uniquser'] are stored.
Now a second Auth instance of type Auth_imp is created and
Auth_imp::authenticate is called which then calls the parent::authenticate
(Auth::authenticate) again which now stores the credentials with the
realmed $userId. The Auth_imp::_authenticate method then authenticates the
user at the imap server and the Auth::setAuth sets the realmed userId after
that the Auth_imp is done.
Now the first Auth instance goes on with the authenticate method and sets
the plain userId via Auth::setAuth which over writes the realmed userId
that was set by the Auth_imp instance.

To avoid this behavior I was thinking of changing webdav.php and call ind
the authenticate method with the "login = false" parameter:

$auth->authenticate($username, array('password' => $password), false);

when using imp as authentication driver (the Auth_imp instance set it to
true anyway by itself).
By doing this the Auth::setAuth from the initial Auth instance is not
called and therefore it is not overwriting the credentials which where set
by the Auth_imp instance.

Any comments on that?

Didi

More information about the bugs mailing list