- if ((rv = check_mysql_auth_require(user, t, r)) - != HTTP_UNAUTHORIZED) - { - return rv;
From the logs, check_mysql_auth_require is getting called here and the sql is getting generated. But it is failing right away. So, next if we say its the actual check_mysql_auth_require function, then comparing the differences it is not much. Does the section of code above contain the proper initializers? Here is a patch for 4.3.9-2 which does the same thing as the patch from the previous post (except this one applies to the latest release of libapache-mod-auth).
Best Regards,
--- libapache-mod-auth-mysql-4.3.9-orig/mod_auth_mysql.c 2005-03-11 09:35:14.000000000 -0800 +++ libapache-mod-auth-mysql-4.3.9/mod_auth_mysql.c 2005-03-11 09:39:11.000000000 -0800 @@ -1549,73 +1549,12 @@ } } -/* Go through a 'requires' line configured for the module, and return OK - * if the user satisfies the line, or some sort of failure return code - * otherwise. - */ -int check_mysql_auth_require(char *user, const char *t, request_rec *r) -{ - mysql_auth_config_rec *sec = (mysql_auth_config_rec *) ap_get_module_config(r->per_dir_config, &auth_mysql_module); - const char *w; - int rv; - - w = ap_getword(r->pool, &t, ' '); - /* If they're letting any old authenticated user, we're off the - * hook! - */ - if (!strcmp(w, "valid-user")) { - return OK; - } - - /* Checking a list of usernames */ - if (!strcmp(w, "user")) { - while (t[0]) { - w = ap_getword_conf(r->pool, &t); - if (!strcmp(user, w)) { - return OK; - } - } - /* Not found */ - return HTTP_UNAUTHORIZED; - } else if (!strcmp(w, "group")) { - /* This is the prickly one; checking whether the - * user is a member of a listed group. - */ - while (t[0]) - { - w = ap_getword_conf(r->pool, &t); - rv = mysql_check_group(r, user, (char *)w, sec); - - if (rv == 1) - { - /* Yep, we're all good */ - return OK; - } - else if (rv == -1) - { - return HTTP_INTERNAL_SERVER_ERROR; - } - } - /* Distinct lack of foundage */ - return HTTP_UNAUTHORIZED; - } - else - { - APACHELOG(APLOG_ERR, r, "Invalid argument to require: %s", w); - return HTTP_INTERNAL_SERVER_ERROR; - } - - APACHELOG(APLOG_ERR, r, "CAN'T HAPPEN: Dropped out of the bottom of check_mysql_auth_require!"); - return HTTP_INTERNAL_SERVER_ERROR; -} - -/* This is the authorization step. We're presuming that the user has - * successfully negotiated the step of "I am who I say I am", now we're - * checking to see if the user has permission to access this particular - * resource. As with mysql_authenticate_basic_user, above, we return OK if - * the user is fit to proceed, DECLINED if we don't want to make a decision - * either way, HTTP_UNAUTHORIZED if the user is not allowed, or some apache - * error if there was a major problem. +/* This is the authorization step. We're presuming that the user has successfully + * negotiated the step of "I am who I say I am", now we're checking to see if + * the user has permission to access this particular resource. + * As with mysql_authenticate_basic_user, above, we return OK if the user + * is fit to proceed, DECLINED if we don't want to make a decision either way, + * or some apache error if there was a major problem. */ int mysql_check_auth(request_rec *r) { @@ -1626,9 +1565,10 @@ char *user = r->connection->user; #endif int m = r->method_number; + int method_restricted = 0; int rv; register int x; - const char *t; + const char *t, *w; #ifdef APACHE2 const apr_array_header_t *reqs_arr = ap_requires(r); #else @@ -1664,25 +1604,58 @@ reqs = (require_line *) reqs_arr->elts; for (x = 0; x < reqs_arr->nelts; x++) { - /* mjp: WTF is this? */ + /* WTF is this? */ if (!(reqs[x].method_mask & (1 << m))) { continue; } + method_restricted = 1; t = reqs[x].requirement; - - /* OK, this might seem a little weird. The logic is that, - * if the user is approved, that's sufficient, so we can - * return OK straight away. Alternately, if there's an - * error, we bomb the check and die. The only circumstance - * where we continue looping is when the user didn't pass this - * check, but might pass a future one, so keep looking. + w = ap_getword(r->pool, &t, ' '); + /* If they're letting any old authenticated user, we're off the + * hook! */ - if ((rv = check_mysql_auth_require(user, t, r)) - != HTTP_UNAUTHORIZED) - { - return rv; + if (!strcmp(w, "valid-user")) { + return OK; + } + + /* Checking a list of usernames */ + if (!strcmp(w, "user")) { + while (t[0]) { + w = ap_getword_conf(r->pool, &t); + if (!strcmp(user, w)) { + return OK; + } + } + } else if (!strcmp(w, "group")) { + /* This is the prickly one; checking whether the + * user is a member of a listed group. + */ + while (t[0]) { + w = ap_getword_conf(r->pool, &t); + rv = mysql_check_group(r, user, (char *)w, sec); + + if (rv == 1) + { + /* Yep, we're all good */ + return OK; + } + else if (rv == -1) + { + return HTTP_INTERNAL_SERVER_ERROR; + } + } } + + /* The user is not part of any listed groups or users, and + * the valid-user check wasn't used. + */ + return HTTP_UNAUTHORIZED; + } + + /* If there were no requires lines, we assume we're good to go */ + if (!method_restricted) { + return OK; } /* We don't know, and we don't really care */