Thank you for your response, I assume in my 'environment' that a user as access only to one set of credentials so i don't need to give a user the option to enter a different set of credential.
But it makes sense to return a 401. I was trying to map the default mod_authz_svn behaviour that return forbidden if a user is authenticated and not authorised to access the repository. Thank you for mod_wsgi (thumbs up) Cumps, Filipe On 19 Jul, 12:16, Graham Dumpleton <[email protected]> wrote: > On 19 July 2010 02:29, fampinheiro <[email protected]> wrote: > > > > > > > I´m setting up a server where i can have multiple svn repositories. > > The users that have access to that repositories aren´t static and > > rewrite the authorisation file is not a good option in my opinion. > > > So i want to have the authorisation step to be handled by a script. > > > my directive under apache looks like this: > > > <Location /svn> > > DAV svn > > SVNParentPath c:/svn > > > Require valid-user > > > AuthType Basic > > AuthName "Svn Authentication" > > AuthBasicProvider wsgi > > WSGIAuthUserScript c:/scripts/authn.wsgi > > WSGIAccessScript c:/scripts/auths.wsgi > > Require valid-user > > </Location> > > > authn.wsgi > > > def check_password(environ, user, password): > > if user == 'admin' or user == 'spy': > > if password == 'secret': > > return True > > return False > > return None > > > The authentication phase works worderfully. > > > The problem is the authorisation. > > > auths > > > def allow_access(environ, host): > > if environ['REMOTE_USER'] == 'admin' > > return True > > return False > > > i assume this was supposed to work !? > > No. > > > i was using mod_python and PythonAuthzHandler to do this. > > Which is not the same thing. The equivalent phase in mod_python is > PythonAccessHandler. > > > Am i missing something !? > > Host access, ie., WSGIAaccessScript, is done before user > authentication and so doesn't have access to user login information. > > > be gentle i'm new to this world :) and have a lot to learn. > > > ps: i also tried WSGIAuthGroupScript but apache returns status code > > 401 and i want that if a valid user can´t access the repository to > > return 403 > > Apache returns 401 because that is the correct status code to return. > If you don't return that you aren't giving a user the option to enter > in a different set of credentials to allow them into area with more > constrained authorisation requirements. Thus would be abusing the > notion of how the HTTP authentication mechanism is supposed to work. > > Graham -- You received this message because you are subscribed to the Google Groups "modwsgi" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/modwsgi?hl=en.
