You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by "Robert S. Thau" <rs...@ai.mit.edu> on 1996/06/16 16:10:13 UTC
Just what you all want... another patch.
I was playing with my authoring stuff... in particular, I wanted to
set up an area which was auth protected for PUTs only... no problem,
right? You just do...
AuthType Basic
...
<Limit PUT>
require ...
</Limit>
Well, *wrong*. PUTs require Auth properly, but the behavior of
GETs becomes strange and useless.
The problem is that the core checks whether AuthType is set in order
to see whether to do authentication in this space, whether there is a
"require" line applicable to the actual request method at all or not.
This probably accounts for numerous frequent bug reports and
complaints about strange behavior (as well as the oft-reported NCSA
incompatibility that we do auth even if there are no applicable
"require" lines).
Herewith, a patch:
*** ../src.dist.ref/http_request.c Sat Jun 15 10:05:48 1996
--- http_request.c Sun Jun 16 09:57:03 1996
***************
*** 659,664 ****
--- 659,683 ----
else die (status, r);
}
+ static int some_auth_required (request_rec *r)
+ {
+ /* Is there a require line configured for the type of *this* req? */
+
+ array_header *reqs_arr = requires (r);
+ require_line *reqs;
+ int i;
+
+ if (!reqs_arr) return 0;
+
+ reqs = (require_line *)reqs_arr->elts;
+
+ for (i = 0; i < reqs_arr->nelts; ++i)
+ if (reqs[i].method_mask & (1 << r->method_number))
+ return 1;
+
+ return 0;
+ }
+
void process_request_internal (request_rec *r)
{
int access_status;
***************
*** 721,727 ****
return;
}
! if (auth_type (r)) {
if ((access_status = check_user_id (r)) != 0) {
decl_die (access_status, "check user. No user file?", r);
return;
--- 740,746 ----
return;
}
! if (some_auth_required (r)) {
if ((access_status = check_user_id (r)) != 0) {
decl_die (access_status, "check user. No user file?", r);
return;