httpd-modules-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ben Davies" <>
Subject RE: Dynamicly insert 'require' into request
Date Wed, 22 Jul 2009 12:28:05 GMT
> One solution would be to set a note for your hook in an earlier stage,
> and then return DECLINED from your handler when you detect that note.

Ah, but from what I can work out, before the check_user() hook fires, the
403 is sent to the client because of the presence of the require. I can't
have the check_user() hook return DECLINED because its too late: the 403 has
been sent back automatically.

But additionally, I can't return DECLINED from the access() hook (which
fires before the check_user() hook) because if the resource requested is
publicly accessible, then the access() hook should return OK :)

So, to me, the only solution is:
In the access() hook, if the resource is NOT publicly accessible, return OK.
This will make apache recognise the require directive, return a 403, and
then fire the check_user() and auth() hooks.

If the resource IS publicly available, I need to somehow remove the require
directive from the request, and then return OK from the access() hook. This
means that the 403 won't be returns (as there is no require directive set
anymore) which means no authentication (check_user()) hook is fired and
subsequently no authorization (auth()) hook either.

>From what I can make out, this is how Apache would handle the process.

No to see if I can actually modify the request->requires array, and if so,
if that will affect the request processing after exiting the access() hook
so that the 403 and the check_user() and auth() hooks don't fire.

Fun fun fun!

Can someone with a deeper knowledge of Apache than me comment if this sounds
like crazy talk? Have I made a massive assumption regarding the returning of
the 403 header before check_user(), for example?



-----Original Message-----
From: Tom Evans [] 
Sent: 22 July 2009 12:24
Subject: RE: Dynamicly insert 'require' into request

On Wed, 2009-07-22 at 10:43 +0100, Ben Davies wrote:
> Okay, so upon further inspection, it appears that there may not be an
> equivalent function for mod_perls set_handlers().
> This leads me to a problem: how do I "turn off" a hook, especially, as the
> check_user() hook expects the r->user property to contain the username,
> meaning that the sending of a 403 happens before the check_user() hook is
> called. Whatever it is I need to do, I need to do in the access() hook.
> I was hoping it might be something as simple as removing my require entry
> from the require array. Has anyone had any experience with this? If so,
> could you comment on techniques?
> Cheers,
> Ben

One solution would be to set a note for your hook in an earlier stage,
and then return DECLINED from your handler when you detect that note.

There may be a better way :)



View raw message