[apologies if this appears twice - lost in the ether] On Wed, 17 Jun 2009 14:06:13 +0100 "Ben Davies" <bdav...@stickyeyes.com> wrote:
> I'm currently planning out my own Authorization module > (mod_resource_authz) which allows a webmaster to deny or grant access > to a resource based on the method used. Note that every authz module supports that, through <Limit> (and in future through <If ...>) configuration sections. Not to mention "scripted" solutions like mod_rewrite. > My problem comes from attempting to determine if the user is a member > of a specific group. If been looking around, and it doesn't appear > that the user group membership lookups have been separated out from > their individual modules. For example, mod_authz_groupfile doesn't > provide an interface my module can use to lookup if a user is a > member of a group. Neither does mod_authz_dbm, etc; All these modules > do is provide authorization is a user is simply a member of a group. There's nothing in HTTP that defines a notion of "group". Modules implement it as a convenience. > Does anyone have any suggestions, or am I best implementing a separate > provider hook in my module that delegate group membership lookups to > other modules (e.g. mod_resource_authz_grplkup_file, > mod_resource_authz_grplkup_dbm, mod_resource_authz_grplkup_dbd). A > simple interface would suffice, e.g. provide the username, returns an > array of groups the user is a member of. You seem to be asking for a "group" API that'll enable your module to take advantage of existing authz providers, yesno? Since authz has been revamped in /trunk/ from 2.2.x, I suggest you start with /trunk/. If you have ideas to enhance the API that'll not break things and could be of general interest, then you could perhaps propose them to the dev list, and they may be in time for a 2.4 release. Bear in mind that to be of general use, you'll probably need to start by writing down exactly what you mean by "group", to avoid the likelihood of arguing at cross-purposes. Otherwise, yes, your module can export its own API independently. -- Nick Kew Application Development with Apache - the Apache Modules Book http://www.apachetutor.org/
