You are viewing a plain text version of this content. The canonical link for it is here.
Posted to mod_python-dev@quetz.apache.org by "Graham Dumpleton (JIRA)" <ji...@apache.org> on 2005/03/13 00:20:53 UTC
[jira] Created: (MODPYTHON-33) mod_python.publisher authentication and forbidden.
mod_python.publisher authentication and forbidden.
--------------------------------------------------
Key: MODPYTHON-33
URL: http://issues.apache.org/jira/browse/MODPYTHON-33
Project: mod_python
Type: Improvement
Components: publisher
Versions: 3.1.4
Reporter: Graham Dumpleton
Priority: Minor
If when using Apache, you have authentication in a parent directory setup as:
AuthType Basic
AuthName "Disney Land"
AuthUserFile /Users/grahamd/Sites/auth/pwdb
Require user minney
Require user mickey
and then in a subdirectory you have:
Require user mickey
with the file "date.txt" appearing in both parent and subdirectories.
If one now accesses "/date.txt", browser will prompt for login/passwd. For
this enter "minney". Now access "/subdir/date.txt".
Because "minney" doesn't have access to subdirectory, browser will reprompt
for login/passwd and "mickey" can be entered.
If one does the above with mod_python.publisher as:
__auth_realm__ = "Disney Land"
__auth__ = { "mickey":"mouse", "minney": "mouse" }
__access__ = [ "mickey", "minney" ]
def method1():
return "method1()"
class A:
__access__ = [ "mickey" ]
def method2(self):
return "methods()"
a = A()
When one access the nested method, ie., "a/method2", rather than asking
again for login/passwd, it simply sends back FORBIDDEN error and thus
now option is available to change the login. One would have to restart the
browser and then access nested method.
Instead of the code saying:
if not rc:
raise apache.SERVER_RETURN, apache.HTTP_FORBIDDEN
it could instead say something like:
if not rc:
if found_auth and (callable(__auth__) or \
type(__auth__) == types.DictionaryType):
s = 'Basic realm="%s"' % __auth_realm__
req.err_headers_out["WWW-Authenticate"] = s
raise apache.SERVER_RETURN, apache.HTTP_UNAUTHORIZED
else:
raise apache.SERVER_RETURN, apache.HTTP_FORBIDDEN
In other words, if access isn't permitted, but a prior specific authentication
check had been done, and not just a blanket approval, then throw back error
which gives option of resupply login/passwd.
Note however that this may be dependent on MODPYTHON-30 being fixed
first as adding this may simply exacerbate the potential for the other problem.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
If you want more information on JIRA, or have a bug to report see:
http://www.atlassian.com/software/jira