Apache::AuthCookie with multiple 'require' directives?

2000-01-27 Thread Ken Williams 

Hi,

I'm looking at the AuthCookie code, getting ready to release a new version to
CPAN.  It looks to me like currently only the first 'require' directive will be
processed and obeyed.  Here's the code from the old authz():


  foreach $reqs (@$reqs_arr) {
($requirement, $args) = split /\s+/, $reqs->{requirement}, 2;
$args = "" unless defined $args;
$r->log_error("requirement := $requirement, $args") if ($debug >= 2);

if ($requirement eq "valid-user") {
  return OK;
} elsif ($requirement eq "user") {
  return OK if ($args =~ m/\b$user\b/);
} else {
  my $ret_val = $auth_type->$requirement($r, $args);
  $r->log_error("$auth_type->$requirement returned $ret_val")
if $debug >= 3;
  return OK if $ret_val == OK;
}
$restricted++;
  }

  return OK unless $restricted;
  return FORBIDDEN;


Is anyone actually using this with multiple "require' directives?  Or would
anyone like to?


  ------
  Ken Williams Last Bastion of Euclidity
  [EMAIL PROTECTED]The Math Forum

Re: Apache::AuthCookie with multiple 'require' directives?

2000-01-27 Thread Cliff Rayman 

looks to me like it is using an OR approach.
first successful match returns OK.

Ken Williams wrote:

> Hi,
>
> I'm looking at the AuthCookie code, getting ready to release a new version to
> CPAN.  It looks to me like currently only the first 'require' directive will be
> processed and obeyed.  Here's the code from the old authz():
>
> 
>   foreach $reqs (@$reqs_arr) {
> ($requirement, $args) = split /\s+/, $reqs->{requirement}, 2;
> $args = "" unless defined $args;
> $r->log_error("requirement := $requirement, $args") if ($debug >= 2);
>
> if ($requirement eq "valid-user") {
>   return OK;
> } elsif ($requirement eq "user") {
>   return OK if ($args =~ m/\b$user\b/);
> } else {
>   my $ret_val = $auth_type->$requirement($r, $args);
>   $r->log_error("$auth_type->$requirement returned $ret_val")
> if $debug >= 3;
>   return OK if $ret_val == OK;
> }
> $restricted++;
>   }
>
>   return OK unless $restricted;
>   return FORBIDDEN;
> 
>
> Is anyone actually using this with multiple "require' directives?  Or would
> anyone like to?
>
>   ------
>   Ken Williams Last Bastion of Euclidity
>   [EMAIL PROTECTED]The Math Forum

Re: Apache::AuthCookie with multiple 'require' directives?

2000-01-27 Thread Cliff Rayman 

'c' code in mod_auth seems to work similar as the perl code below.

- snip -
for (x = 0; x < reqs_arr->nelts; x++) {

if (!(reqs[x].method_mask & (1 << m)))
continue;

method_restricted = 1;

t = reqs[x].requirement;
w = ap_getword_white(r->pool, &t);
if (!strcmp(w, "valid-user"))
return OK;
if (!strcmp(w, "user")) {
while (t[0]) {
w = ap_getword_conf(r->pool, &t);
if (!strcmp(user, w))
return OK;
}
}
else if (!strcmp(w, "group")) {
if (!grpstatus)
return DECLINED;/* DBM group?  Something else? */

while (t[0]) {
w = ap_getword_conf(r->pool, &t);
if (ap_table_get(grpstatus, w))
return OK;
}
} else if (sec->auth_authoritative) {
/* if we aren't authoritative, any require directive could be
 * valid even if we don't grok it.  However, if we are
 * authoritative, we can warn the user they did something wrong.
 * That something could be a missing "AuthAuthoritative off", but
 * more likely is a typo in the require directive.
 */
ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r,
"access to %s failed, reason: unknown require directive:"
"\"%s\"", r->uri, reqs[x].requirement);
}
}

if (!method_restricted)
return OK;

if (!(sec->auth_authoritative))
return DECLINED;

ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r,
"access to %s failed, reason: user %s not allowed access",
r->uri, user);

ap_note_basic_auth_failure(r);
return AUTH_REQUIRED;
}
- snip -

cliff rayman
genwax.com

Ken Williams wrote:

> Hi,
>
> I'm looking at the AuthCookie code, getting ready to release a new version to
> CPAN.  It looks to me like currently only the first 'require' directive will be
> processed and obeyed.  Here's the code from the old authz():
>
> 
>   foreach $reqs (@$reqs_arr) {
> ($requirement, $args) = split /\s+/, $reqs->{requirement}, 2;
> $args = "" unless defined $args;
> $r->log_error("requirement := $requirement, $args") if ($debug >= 2);
>
> if ($requirement eq "valid-user") {
>   return OK;
> } elsif ($requirement eq "user") {
>   return OK if ($args =~ m/\b$user\b/);
> } else {
>   my $ret_val = $auth_type->$requirement($r, $args);
>   $r->log_error("$auth_type->$requirement returned $ret_val")
> if $debug >= 3;
>   return OK if $ret_val == OK;
> }
> $restricted++;
>   }
>
>   return OK unless $restricted;
>   return FORBIDDEN;
> 
>
> Is anyone actually using this with multiple "require' directives?  Or would
> anyone like to?
>
>   ------
>   Ken Williams Last Bastion of Euclidity
>   [EMAIL PROTECTED]The Math Forum