[dev] Unauthenticated HordeCore Ajax

Ralf Lang lang at b1-systems.de
Thu Aug 15 20:26:02 UTC 2013


>> See, e.g., the 'embed' action in Kronolith_Ajax_Application_Handler.
>
> I tried that but I noticed the Kronolith embed snippet does not work
> when I am logged out. That was why I asked yunosh on IRC how this is
> supposed to work and he advised me to ask on dev at .
>
> I pushed the kronolith embed code for a specific calendar into
>
> http://horde5-test.maintaina.com/passwd/testme.html
>
> * shows calendar when I am logged in to ANY user.
> * returns the ajax timeout response from ajax.php when I am not logged in.
>
> /*-secure-{"msgs":[{"message":"\/login.php?url=%2Fpasswd%2F&horde_logout_token=TBOjzSlIW6Ywn8oBTzV5pg1&logout_reason=6","type":"horde.ajaxtimeout"}],"response":false}*/
>
>
> I think ajax.php reacts on the exception from Registry::appInit($app)
> before it can know if a handler for the action exists and if it is
> marked as external. But I have not yet verified that.
>
I've locally added authentication => none

try {
     Horde_Registry::appInit($app, array('authentication' => 'none'));
//    Horde_Registry::appInit($app);
} catch (Horde_Exception_AuthenticationFailure $e) {

Now I get a proper response from the kronolith/embed action
I'm not sure if this breaks security for other actions but it should 
not, because for all non-external actions there is a check for the 
session key. Removing the embed action from the $_external variable 
makes it fail again when unauthenticated (expected behaviour).

-- 
Ralf Lang
Linux Consultant / Developer
Tel.: +49-170-6381563
Mail: lang at b1-systems.de
B1 Systems GmbH
Osterfeldstraße 7 / 85088 Vohburg / http://www.b1-systems.de
GF: Ralph Dehner / Unternehmenssitz: Vohburg / AG: Ingolstadt,HRB 3537


More information about the dev mailing list