You are viewing a plain text version of this content. The canonical link for it is here.
Posted to mod_python-dev@quetz.apache.org by "Graham Dumpleton (JIRA)" <ji...@apache.org> on 2005/03/13 00:20:53 UTC

[jira] Created: (MODPYTHON-33) mod_python.publisher authentication and forbidden.

mod_python.publisher authentication and forbidden.
--------------------------------------------------

         Key: MODPYTHON-33
         URL: http://issues.apache.org/jira/browse/MODPYTHON-33
     Project: mod_python
        Type: Improvement
  Components: publisher  
    Versions: 3.1.4    
    Reporter: Graham Dumpleton
    Priority: Minor


If when using Apache, you have authentication in a parent directory setup as:

AuthType Basic
AuthName "Disney Land"
AuthUserFile /Users/grahamd/Sites/auth/pwdb
Require user minney
Require user mickey

and then in a subdirectory you have:

Require user mickey

with the file "date.txt" appearing in both parent and subdirectories.

If one now accesses "/date.txt", browser will prompt for login/passwd. For
this enter "minney". Now access "/subdir/date.txt".

Because "minney" doesn't have access to subdirectory, browser will reprompt
for login/passwd and "mickey" can be entered.

If one does the above with mod_python.publisher as:

__auth_realm__ = "Disney Land"
__auth__ = { "mickey":"mouse", "minney": "mouse" }
__access__ = [ "mickey", "minney" ]

def method1():
  return "method1()"

class A:

  __access__ = [ "mickey" ]

  def method2(self):
    return "methods()"

a = A()

When one access the nested method, ie., "a/method2", rather than asking
again for login/passwd, it simply sends back FORBIDDEN error and thus
now option is available to change the login. One would have to restart the
browser and then access nested method.

Instead of the code saying:

        if not rc:
            raise apache.SERVER_RETURN, apache.HTTP_FORBIDDEN

it could instead say something like:

    if not rc:
      if found_auth and (callable(__auth__) or \
          type(__auth__) == types.DictionaryType):
        s = 'Basic realm="%s"' % __auth_realm__
        req.err_headers_out["WWW-Authenticate"] = s
        raise apache.SERVER_RETURN, apache.HTTP_UNAUTHORIZED
      else:
        raise apache.SERVER_RETURN, apache.HTTP_FORBIDDEN

In other words, if access isn't permitted, but a prior specific authentication
check had been done, and not just a blanket approval, then throw back error
which gives option of resupply login/passwd.

Note however that this may be dependent on MODPYTHON-30 being fixed
first as adding this may simply exacerbate the potential for the other problem.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
If you want more information on JIRA, or have a bug to report see:
   http://www.atlassian.com/software/jira