On Monday, July 19, 2010, fampinheiro <[email protected]> wrote: > Thank you for your response, > > I assume in my 'environment' that a user as access only to one set of > credentials > so i don't need to give a user the option to enter a different set of > credential. > > But it makes sense to return a 401. > > I was trying to map the default mod_authz_svn behaviour that return > forbidden > if a user is authenticated and not authorised to access the > repository.
They likely did it that way as they access it using purpose built command line clients and not browsers. Graham > Thank you for mod_wsgi (thumbs up) > > Cumps, > > Filipe > > On 19 Jul, 12:16, Graham Dumpleton <[email protected]> wrote: >> On 19 July 2010 02:29, fampinheiro <[email protected]> wrote: >> >> >> >> >> >> > I´m setting up a server where i can have multiple svn repositories. >> > The users that have access to that repositories aren´t static and >> > rewrite the authorisation file is not a good option in my opinion. >> >> > So i want to have the authorisation step to be handled by a script. >> >> > my directive under apache looks like this: >> >> > <Location /svn> >> > DAV svn >> > SVNParentPath c:/svn >> >> > Require valid-user >> >> > AuthType Basic >> > AuthName "Svn Authentication" >> > AuthBasicProvider wsgi >> > WSGIAuthUserScript c:/scripts/authn.wsgi >> > WSGIAccessScript c:/scripts/auths.wsgi >> > Require valid-user >> > </Location> >> >> > authn.wsgi >> >> > def check_password(environ, user, password): >> > if user == 'admin' or user == 'spy': >> > if password == 'secret': >> > return True >> > return False >> > return None >> >> > The authentication phase works worderfully. >> >> > The problem is the authorisation. >> >> > auths >> >> > def allow_access(environ, host): >> > if environ['REMOTE_USER'] == 'admin' >> > return True >> > return False >> >> > i assume this was supposed to work !? >> >> No. >> >> > i was using mod_python and PythonAuthzHandler to do this. >> >> Which is not the same thing. The equivalent phase in mod_python is >> PythonAccessHandler. >> >> > Am i missing something !? >> >> Host access, ie., WSGIAaccessScript, is done before user >> authentication and so doesn't have access to user login information. >> >> > be gentle i'm new to this world :) and have a lot to learn. >> >> > ps: i also tried WSGIAuthGroupScript but apache returns status code >> > 401 and i want that if a valid user can´t access the repository to >> > return 403 >> >> Apache returns 401 because that is the correct status code to return. >> If you don't return that you aren't giving a user the option to enter >> in a different set of credentials to allow them into area with more >> constrained authorisation requirements. Thus would be abusing the >> notion of how the HTTP authentication mechanism is supposed to work. >> >> Graham > > -- > You received this message because you are subscribed to the Google Groups > "modwsgi" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/modwsgi?hl=en. > > -- You received this message because you are subscribed to the Google Groups "modwsgi" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/modwsgi?hl=en.
