From 95de420a35109d89b7399b6a5da0077d32127239 Mon Sep 17 00:00:00 2001
From: Ryan Lue <hello@ryanlue.com>
Date: Tue, 26 May 2020 00:26:06 +0800
Subject: [PATCH] Fixes #3064: Double-render error on HTTP Basic auth

This commit fixes a regression[0]
introduced in becbdb1ba (the Pundit migration).

Specifically, `CalendarSubscriptionsController` appears to be
the only controller that supports HTTP Basic authentication
(for calendar clients like Thunderbird Lightning or Calendar.app),
and the migration changed the control flow
for HTTP Basic authentication + authorization:

    # before
    authentication_check({ basic_auth_promt: true, permission: 'user_preferences.calendar' })

    # after
    authentication_check(basic_auth_promt: true) && authorize!

After this change, `#authentication_check` is expected
to communicate success or failure through its return value,
but prior to this bugfix, its return value was always truthy.
This led to a double-render error,
where a response code and message were set twice,
upon the failures of both authentication and authorization.

This fix adds a `return false` in the authorization failure case,
short-circuiting the `#authorize!` call and eliminating the error.

[0]: https://github.com/zammad/zammad/issues/3064
---
 .../application_controller/authenticates.rb           |  3 ++-
 spec/requests/calendar_subscriptions_spec.rb          | 11 +++++++++++
 2 files changed, 13 insertions(+), 1 deletion(-)
 create mode 100644 spec/requests/calendar_subscriptions_spec.rb

diff --git a/app/controllers/application_controller/authenticates.rb b/app/controllers/application_controller/authenticates.rb
index b4087434b..af92d076e 100644
--- a/app/controllers/application_controller/authenticates.rb
+++ b/app/controllers/application_controller/authenticates.rb
@@ -27,7 +27,8 @@ module ApplicationController::Authenticates
 
     # check if basic_auth fallback is possible
     if auth_param[:basic_auth_promt] && !user
-      return request_http_basic_authentication
+      request_http_basic_authentication
+      return false
     end
 
     # return auth not ok
diff --git a/spec/requests/calendar_subscriptions_spec.rb b/spec/requests/calendar_subscriptions_spec.rb
new file mode 100644
index 000000000..5869e164b
--- /dev/null
+++ b/spec/requests/calendar_subscriptions_spec.rb
@@ -0,0 +1,11 @@
+require 'rails_helper'
+
+RSpec.describe 'iCal endpoints', type: :request do
+  context 'with no existing session' do
+    it 'gives HTTP Basic auth prompt (#3064)' do
+      get '/ical/tickets'
+
+      expect(response.body).to eq("HTTP Basic: Access denied.\n")
+    end
+  end
+end