Login and Upload without Password.

[MarkJV]

In addition to an older topic: Login and Download without Password. http://www.rejetto.com/forum/index.php?topic=2742.0

I'm struggling with the following.
Defined an upload folder; named upload
Restrict access ckeckbox marked for one user.
Upload ckeckbox marked for this same user.

When I browse to it: http://<host.nl>/upload I will be asked for USER/PASS. I can't enter without Password.
However browse to http://<host.nl>/upload/~upload will ask for USER/PASS I can enter without password, only Username will do.

Is this a bug? Or am I overseeing something.

Thanks,
Mark

[maverick]

In addition to an older topic: Login and Download without Password.

I'm struggling with the following.
Defined an upload folder; named upload - DONE
Restrict access ckeckbox marked for one user. - DONE
Upload ckeckbox marked for this same user. - DONE

I re-created your procedure.  The older topic you mention has to do with downloading.  Your test is for uploading.  But anyway...

When I browse to it: http://<host.nl>/upload I will be asked for USER/PASS. I can't enter without Password.

Same here.

However browse to http://<host.nl>/upload/~upload will ask for USER/PASS I can enter without password, only Username will do.

If you can't enter http://<host.nl>/upload without entering valid user/pass for the upload folder, how did you browse to http://<host.nl>/upload/~upload ?

FIREFOX
If I manually add an address like http://<host.nl>/upload/~upload in my browser's location bar, the login popup appears, and like you, all I have to enter is username and I'm in.  I can successfully upload a file to the upload folder bypassing the need for a password.  Re-tested result.

OPERA
If I manually add an address like http://<host.nl>/upload/~upload in my browser's location bar, I'm in - there is no login popup.  I'm allowed to select and upload a file.  When I'm presented with the upload success page and attempt to go back, then the login popup appears.  The file has been transfered to the upload folder bypassing username/password.  Re-tested result.

INTERNET EXPLORER
Didn't test with it.  Don't like it.  I'll leave that to someone else.

CONCLUSION
Looks like this might be a bug.

[MarkJV]

The older topic you mention has to do with downloading.  Your test is for uploading.  But anyway...

That's why I didn't reply to the prior, but started this thread.

If you can't enter http://<host.nl>/upload without entering valid user/pass for the upload folder, how did you browse to http://<host.nl>/upload/~upload ?

Good question. I'm having an older bookmark to http://<host.nl>/upload/~upload don't remember how I got there in the first place.
I did remember this 'bug' from HFS 2.0. Just downloaded 2.1b and wanted to check it was still there.
Indeed I enter the location manually. Using Firefox (Gecko/20061010 Firefox/2.0)
I pass several firewalls to get to the HFS host which is at another location. I monitor this host by a tunneled VNC.
So I can verify whether or not the uploaded file is actually there. And it is.

When I'm presented with the upload success page and attempt to go back, then the login popup appears.  I have to enter BOTH valid username and password before the upload is posted to the filelist.  If not, the upload is cancelled.

Hitting the back-button indeed makes the popup appear. By the way browsing is not enabled.
Neither is download or the hidden features.

Also checked with IE 7 beta 3. Don't like either, but for testing purposes.

I could send you a private e-mail with the hostname,a username but no password.
You can try uploading a file yourself. E.g. txt file with a specific line in it.
I then can quote that line.

Thanks,
Mark

[maverick]

When I'm presented with the upload success page and attempt to go back, then the login popup appears.  I have to enter BOTH valid username and password before the upload is posted to the filelist.  If not, the upload is cancelled.

Hitting the back-button indeed makes the popup appear. By the way browsing is not enabled.
Neither is download or the hidden features.

You are referring to my test with Opera.  Let Download & Let Browse were enabled for that test.

I don't have to hit the back-button to make the popup appear.  It pops up automatically.

I just re-tested Opera with Let Download & Let Browse disabled and these are the results.
- manually entered the url in the browser location bar.
- there was the login popup.  Entered just username and got in.
- uploaded a file and got the upload success page.
- clicked on go back from that page and the login popup automatically appeared.
- entered username alone did nothing this time. 
- checked to see if the uploaded file was successfully transfered without a user's password.  IT WAS.

Rejetto, maybe you should check this out.  Looks like a bug.

[MarkJV]

- manually entered the url in the browser location bar.
- there was the login popup.  Entered just username and got in.
- uploaded a file and got the upload success page.
- clicked on go back from that page and the login popup automatically appeared.
- entered username alone did nothing this time.
- checked to see if the uploaded file was successfully transfered without a user's password.  IT WAS.

That's what I meant.
This way it's possible to upload without a password. Still need a Username.
Otherwise it would be very tricky.

Thanks Maverick, for stating this. I was searching for a misconfiguration

Mark

[rejetto]

yes, at that level there was no check over the password.
fixed in next build, published in few minutes.
i would have fixed faster but i'm not home these days.