mirror of
https://github.com/9001/copyparty.git
synced 2025-08-17 09:02:15 -06:00
2ce8233921
* return 403 instead of 404 in the following sitations:
* viewing an RSS feed without necessary auth
* accessing a file with the wrong filekey
* accessing a file/folder without necessary auth
(would previously 404 for intentional ambiguity)
* only allow PROPFIND if user has either read or write;
previously a blank response was returned if user has
get-access, but this could confuse webdav clients into
skipping authentication (for example AuthPass)
* return 401 basic-challenge instead of 403 if the client
appears to be non-graphical, because many webdav clients
do not provide the credentials until they're challenged.
There is a heavy bias towards assuming the client is a
browser, because browsers must NEVER EVER get a 401
(tricky state that is near-impossible to deal with)
* return 401 basic-challenge instead of 403 if a PUT
is attempted without any credentials included; this
should be safe, as graphical browsers never do that
this fixes the interoperability issues mentioned in
https://github.com/authpass/authpass/issues/379
where AuthPass would GET files without providing the
password because it expected a 401 instead of a 403;
AuthPass is behaving correctly, this is not a bug
|
||
|---|---|---|
| .. | ||
| res/idp | ||
| __init__.py | ||
| ptrav.py | ||
| run.py | ||
| test_cp.py | ||
| test_dedup.py | ||
| test_dots.py | ||
| test_dxml.py | ||
| test_hooks.py | ||
| test_httpcli.py | ||
| test_idp.py | ||
| test_metrics.py | ||
| test_mv.py | ||
| test_utils.py | ||
| test_vfs.py | ||
| util.py | ||