Just set up DNews 5.7e1 on Windows 2003 Server, using all the default templates.
Authorise is using the same ODBC service that Surgemail uses, to an MS-SQL db.
<dnews.conf>
auth_case true
auth_spawn D:\Server\Surgemail\odbcauth.exe -path D:\Server\Surgemail\
-------------
Used Dnews Admin remotely to add an "Administrators" group, set to
"test.admin.*."
Created one group on that hierachy: test.admin.config
Using Dnews Admin created one user account "test", and added it to the
"Administrators" group.
The MSSQL db also has a user account "test" with group="manager".
Logged into the Dnews web interface sucessfully and subscribed to the restricted group by
typing its name into the edit box and pressing the "Read" button. It appears in
the list of Subscribed News Groups along with three 'public' groups also subscribed to
(test.announce, test.chat, test.help).
None of the groups have any postings at this point.
If I click on one of the 'public' groups it immediately takes me to the "Items in
test.announce" page.
If I click on the "test.admin.config" link I get asked for username & password.
I give the same log-in details and proceed.
It returns me to the "Subscribed News Groups" page, and shows an error report
in the lower part of the page:
--------
An error occured
No such group (test.admin.config) 480 Permission denied
--------
I then unsubscribe from the group test.admin.config and re-subscribe. I'm asked for my
username & password once again, and then see the group listed again on the
"Subscribed News Groups" page.
I click on the "test.admin.config" link and it prompts me for my username &
password and again comes back with the same error.
I'm confused because "no such group" is patently not true; its listed in
active.dat as well as my subscribed groups.
If using Dnews Admin I remove the "test.admin.*" setting from the "Administrators" group
I can view the "Items in test.admin.config" page.
I then re-add "test.admin.*" to the "Administrators" group and for clarity
restart DNews remotely.
Back in the web interface after logging in I find that when I click on
"test.admin.config" I get the error once more.
In the MSSQL db the login belongs to the group "Manager".
So in Dnews Admin I add a new group "Manager" set to "test.admin.*".
After logging in to the web interface again I can click the group in the list and get to the
"Items in test.admin.config" page successfully, without being asked for username
& password.
It seems to me that there is some kind of conflict here to do with the ODBC and
built-in authentication methods but I don't understand it.
I was able to subscribe to and see the test.admin.config newsgroup listed even though my
ODBC auth reported me only belonging to the "Manager" group.
<dnews.log>
18 04:24:43 1:info: Looking up user ([EMAIL PROTECTED]) via spawned program (D:\Server\Surgemail\odbcauth.exe -path D:\Server\Surgemail\)
18 04:24:43 1:info: spawn: Sent ->check [EMAIL PROTECTED] *** 127.0.0.1
18 04:24:44 1:info: spawn: response +OK [EMAIL PROTECTED] config 0 ID="1" translate="" block="" send="" fwd="" droppath="" ipmask="" mailstatus="ok" mailaccess="" created="" quota="" full_name="Test" groups="Manager" pass_ans
18 04:24:44 1:info: User lookup ([EMAIL PROTECTED]) OK, 1 groups
18 04:24:44 1:info: Replacing user cache entry [3] [EMAIL PROTECTED]
18 04:24:44 1:info: chan: [EMAIL PROTECTED] in usergroup [0] manager
-----------
Is there an additional configuration I can make in the access list to prevent an unauthorised user from subscribing to protected groups?
