httpd-modules-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Houser, Rick" <Houser.R...@aoins.com>
Subject RE: Dynamicly insert 'require' into request
Date Wed, 22 Jul 2009 12:47:45 GMT
I had a reason to remove a module's check_user function registration
just like you did, but wasn't ever able to find a way to do so.  What I
ended up having to do is much as described, by running that phase twice,
under the control of my own module's code.  You may need to trap some
instances of the 403 condition, do some additional checking, modify your
circumstances, then re-do the operation that originally resulted in the
403.



Thanks,

Rick Houser
Auto-Owners Insurance
Systems Support
(517)703-2580

-----Original Message-----
From: Ben Davies [mailto:bdavies@stickyeyes.com] 
Sent: Wednesday, July 22, 2009 8:28 AM
To: modules-dev@httpd.apache.org
Subject: RE: Dynamicly insert 'require' into request

> One solution would be to set a note for your hook in an earlier stage,

> and then return DECLINED from your handler when you detect that note.

Ah, but from what I can work out, before the check_user() hook fires,
the
403 is sent to the client because of the presence of the require. I
can't have the check_user() hook return DECLINED because its too late:
the 403 has been sent back automatically.

But additionally, I can't return DECLINED from the access() hook (which
fires before the check_user() hook) because if the resource requested is
publicly accessible, then the access() hook should return OK :)

So, to me, the only solution is:
In the access() hook, if the resource is NOT publicly accessible, return
OK.
This will make apache recognise the require directive, return a 403, and
then fire the check_user() and auth() hooks.

If the resource IS publicly available, I need to somehow remove the
require directive from the request, and then return OK from the access()
hook. This means that the 403 won't be returns (as there is no require
directive set
anymore) which means no authentication (check_user()) hook is fired and
subsequently no authorization (auth()) hook either.

>From what I can make out, this is how Apache would handle the process.

No to see if I can actually modify the request->requires array, and if
so, if that will affect the request processing after exiting the
access() hook so that the 403 and the check_user() and auth() hooks
don't fire.

Fun fun fun!

Can someone with a deeper knowledge of Apache than me comment if this
sounds like crazy talk? Have I made a massive assumption regarding the
returning of the 403 header before check_user(), for example?

Cheers!

Ben


-----Original Message-----
From: Tom Evans [mailto:tevans.uk@googlemail.com]
Sent: 22 July 2009 12:24
To: modules-dev@httpd.apache.org
Subject: RE: Dynamicly insert 'require' into request

On Wed, 2009-07-22 at 10:43 +0100, Ben Davies wrote:
> Okay, so upon further inspection, it appears that there may not be an 
> equivalent function for mod_perls set_handlers().
> 
> This leads me to a problem: how do I "turn off" a hook, especially, as

> the
> check_user() hook expects the r->user property to contain the 
> username, meaning that the sending of a 403 happens before the 
> check_user() hook is called. Whatever it is I need to do, I need to do
in the access() hook.
> 
> I was hoping it might be something as simple as removing my require 
> entry from the require array. Has anyone had any experience with this?

> If so, could you comment on techniques?
> 
> Cheers,
> 
> Ben
> 

One solution would be to set a note for your hook in an earlier stage,
and then return DECLINED from your handler when you detect that note.

There may be a better way :)

Cheers

Tom




Mime
View raw message