[Cyberduck-trac] [Cyberduck] #7139: Problems with WebDAV authorization handling

Cyberduck trac at trac.cyberduck.ch
Thu Mar 21 14:05:00 UTC 2013 

#7139: Problems with WebDAV authorization handling
----------------------------+---------------------------
    Reporter:  billhuber01  |      Owner:  dkocher
        Type:  defect       |     Status:  new
    Priority:  normal       |  Milestone:
   Component:  webdav       |    Version:  4.2.1
    Severity:  normal       |   Keywords:  authorization
Architecture:               |   Platform:  Windows 7
----------------------------+---------------------------
 There's some dysfunctional behavior in Cyberduck when paired with the
 WebDAV server provided with the Apache web server. Basically, the
 authorization handling in Cyberduck allows you to shoot yourself in the
 foot in various ways that are not intuitive.

 Given the authorization scheme which we've implemented with our Apache web
 server, users can see all top-level folders even if they lack proper
 authorization to some of those folders. The problem is that if you can see
 a folder that you're not authorized to access, you might try to access it
 from Cyberduck either out of curiosity, due to a mistake, or some other
 reason. That's where the problem begins.

 If a user accesses a folder that they aren't authorized to access,
 Cyberduck will present the user with a login screen even though you've
 already supplied credentials by opening the connection to the WebDAV
 server. If you supply the correct credentials for the login, the user gets
 a "Login failed" message and another opportunity to try and login again.
 When you eventually get tired of entering the correct credentials and
 still getting the login prompt, you can cancel out of the login prompt.
 But, at that point, you no longer have access to anything!! Every folder
 you try to access anew will give you an error in Cyberduck (the little red
 circle with the line in it). In short, you have no legitimate options once
 you've accessed a folder that you aren't authorized for.

 In summary, Cyberduck displays folders (most notably, top-level folders)
 for which you have no authorization and if you try to access them, your
 Cyberduck session will largely be ruined. Your only choice at that point
 is to reconnect and try again to do what you intended. But even if you
 reconnect, you must be careful to access only folders for which you are
 authorized or the same problem will happen again. That's the dysfunction.

 Cyberduck should clearly not show a login prompt as a response to a failed
 authorization. The login is about authentication and that has already
 occurred. Authorization is about a different point. I would have thought
 that the best (and most common approach) is to display only those file
 objects for which a user has proper authorization. But whatever the
 response is, the current operation in Cyberduck is inappropriate and
 certainly frustrating for users.

-- 
Ticket URL: <http://trac.cyberduck.ch/ticket/7139>
Cyberduck <http://cyberduck.ch>
Open source FTP, SFTP, WebDAV, Cloud Files, Google Docs & Amazon S3 Browser for Mac & Windows.

More information about the Cyberduck-trac mailing list