Uploaded image for project: 'Sakai'
  1. Sakai
  2. SAK-2292

Users may see WebDAV resources for another person

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: CLOSED
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: 2.0.1
    • Fix Version/s: 2.1.0
    • Component/s: WebDAV
    • Labels:
      None
    • Environment:
      Linux Enterprise RH 4, Tomcat 5.5.9, Sakai 2.0.1, jdk 1.4.09

      Description

      I have seen two separate examples of users having access to another user's resources via WebDAV and Sakai.

      First, on collab:

      Second, on our own installation:

      We have enabled RemoteUser, and I don't know how the DavServlet is handling/caching information (IP, username, etc.?). Basically, the scenario is this:

      user1 logs into Sakai
      user1 connects to WebDAV, authenticates, and sees their information.
      user1 closes network places (Windows), but stays logged into Sakai
      user2 logs into Sakai
      user2 tries WebDAV, and enters user1 username and fake password
      user2 can see user1 information.

      I wouldn't think remoteuser enabling should cause this, however I am not certain? I will attempt further to repeat this without container auth set

      I just wanted to log this before I forget.

      Thanks,
      Scott

        Gliffy Diagrams

          Zeplin

            Attachments

              Activity

                People

                Assignee:
                csev Charles Severance
                Reporter:
                samerson Scott Amerson (Inactive)
                Votes:
                0 Vote for this issue
                Watchers:
                0 Start watching this issue

                  Dates

                  Created:
                  Updated:
                  Resolved:

                    Git Integration