Ken Miller <[EMAIL PROTECTED]> wrote:
>I'm using Apache::AuthCookie for general authentication/authorization for a
>site I'm working on. However, there's a requirement for fine-grained
>authorization down to the page level - a user may have access to most pages
>in a directory, but be disalllowed access to a single page. Note that the
>pages in question are in a single directory.
>
>What I don't want is to have the user tossed to a login page if they try to
>access a page for which they have no access, which is what AuthCookie
>currently does.
>
>I thought about chaining an additional authorization handler, but that
>won't work since if the first one in the chain approves access, then the
>rest won't be called. I think that AuthCookie should come first, since it
>verifies that the user has actually logged in. So, if the user passes
>muster on the first stage of authorization (general access to directory)
>then any other handlers in the chain won't be called. Or is there a way to
>override this behaviour?
>
>What's the best way to do this? I can always stuff some code into my main
>handler, but that's ugly.
Short answer is `yes, it can be done.' Next comes the question of how...
What we don't want is the login page being presented if a valid user is
accessing the page. What you could do is return the proper error status when
the person is unauthorized, and then in the error document check to see if the
person has authenticated or not (basically, a valid $ENV{REMOTE_USER} or
equivalent). If so, then throw up a page explaining that they do not have
proper permissions. Otherwise, present the login page.
I'm not familiar with Apache::AuthCookie enough (or haven't looked at it
recently enough) to know exactly how the above would be accomplished, or how
Apache::AuthCookie would interact with the ErrorDocument, but it would seem
the cleanest way to me.
--
James Smith <[EMAIL PROTECTED]>, 979-862-3725
Texas A&M CIS Operating Systems Group, Unix