httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nick Kew <n...@webthing.com>
Subject Re: [users@httpd] Resource Centric Authz
Date Fri, 27 Mar 2009 08:49:19 GMT

On 26 Mar 2009, at 11:48, Ben Davies wrote:

> For Authorization, I want each resource to have an owner and a  
> group (like unix/linux), and I want each of these to restrict  
> access based on the http method used to access the resource. For  
> example;
>
> I have the resource article.html
> The owner of this resource is “bob”.
> The group of this resource is “editors”.
> The following methods may be used by the owner on this resource:  
> GET, PUT, DELETE
> The following methods may be used by members of the group “editors”  
> on this resource: GET, PUT
> Any user who is not the owner, and not a member of the group  
> “editors” may use the following methods: GET

Normally you'd use <Limit> / <LimitExcept>.  But that only gives you a
two-way distinction, and you need three.

I expect you could apply the universal quick&dirty fix: a RewriteCond
to capture the request method, and dispatch internally into different
protection regimes.

If you use trunk/2.3/2.4, there's a cleaner alternative: use
<If ...> blocks for different request methods.

-- 
Nick Kew
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message