- if ((rv = check_mysql_auth_require(user, t, r))
- != HTTP_UNAUTHORIZED)
- {
- return rv;From the logs, check_mysql_auth_require is getting called here and the sql is getting generated. But it is failing right away. So, next if we say its the actual check_mysql_auth_require function, then comparing the differences it is not much. Does the section of code above contain the proper initializers? Here is a patch for 4.3.9-2 which does the same thing as the patch from the previous post (except this one applies to the latest release of libapache-mod-auth).
Best Regards,
--- libapache-mod-auth-mysql-4.3.9-orig/mod_auth_mysql.c 2005-03-11
09:35:14.000000000 -0800
+++ libapache-mod-auth-mysql-4.3.9/mod_auth_mysql.c 2005-03-11
09:39:11.000000000 -0800
@@ -1549,73 +1549,12 @@
}
}
-/* Go through a 'requires' line configured for the module, and return OK
- * if the user satisfies the line, or some sort of failure return code
- * otherwise.
- */
-int check_mysql_auth_require(char *user, const char *t, request_rec *r)
-{
- mysql_auth_config_rec *sec = (mysql_auth_config_rec *)
ap_get_module_config(r->per_dir_config, &auth_mysql_module);
- const char *w;
- int rv;
-
- w = ap_getword(r->pool, &t, ' ');
- /* If they're letting any old authenticated user, we're off the
- * hook!
- */
- if (!strcmp(w, "valid-user")) {
- return OK;
- }
-
- /* Checking a list of usernames */
- if (!strcmp(w, "user")) {
- while (t[0]) {
- w = ap_getword_conf(r->pool, &t);
- if (!strcmp(user, w)) {
- return OK;
- }
- }
- /* Not found */
- return HTTP_UNAUTHORIZED;
- } else if (!strcmp(w, "group")) {
- /* This is the prickly one; checking whether the
- * user is a member of a listed group.
- */
- while (t[0])
- {
- w = ap_getword_conf(r->pool, &t);
- rv = mysql_check_group(r, user, (char *)w, sec);
-
- if (rv == 1)
- {
- /* Yep, we're all good */
- return OK;
- }
- else if (rv == -1)
- {
- return HTTP_INTERNAL_SERVER_ERROR;
- }
- }
- /* Distinct lack of foundage */
- return HTTP_UNAUTHORIZED;
- }
- else
- {
- APACHELOG(APLOG_ERR, r, "Invalid argument to require: %s", w);
- return HTTP_INTERNAL_SERVER_ERROR;
- }
-
- APACHELOG(APLOG_ERR, r, "CAN'T HAPPEN: Dropped out of the bottom of
check_mysql_auth_require!");
- return HTTP_INTERNAL_SERVER_ERROR;
-}
-
-/* This is the authorization step. We're presuming that the user has
- * successfully negotiated the step of "I am who I say I am", now we're
- * checking to see if the user has permission to access this particular
- * resource. As with mysql_authenticate_basic_user, above, we return OK if
- * the user is fit to proceed, DECLINED if we don't want to make a decision
- * either way, HTTP_UNAUTHORIZED if the user is not allowed, or some apache
- * error if there was a major problem.
+/* This is the authorization step. We're presuming that the user has
successfully
+ * negotiated the step of "I am who I say I am", now we're checking to see if
+ * the user has permission to access this particular resource.
+ * As with mysql_authenticate_basic_user, above, we return OK if the user
+ * is fit to proceed, DECLINED if we don't want to make a decision either way,
+ * or some apache error if there was a major problem.
*/
int mysql_check_auth(request_rec *r)
{
@@ -1626,9 +1565,10 @@
char *user = r->connection->user;
#endif
int m = r->method_number;
+ int method_restricted = 0;
int rv;
register int x;
- const char *t;
+ const char *t, *w;
#ifdef APACHE2
const apr_array_header_t *reqs_arr = ap_requires(r);
#else
@@ -1664,25 +1604,58 @@
reqs = (require_line *) reqs_arr->elts;
for (x = 0; x < reqs_arr->nelts; x++) {
- /* mjp: WTF is this? */
+ /* WTF is this? */
if (!(reqs[x].method_mask & (1 << m))) {
continue;
}
+ method_restricted = 1;
t = reqs[x].requirement;
-
- /* OK, this might seem a little weird. The logic is that,
- * if the user is approved, that's sufficient, so we can
- * return OK straight away. Alternately, if there's an
- * error, we bomb the check and die. The only circumstance
- * where we continue looping is when the user didn't pass this
- * check, but might pass a future one, so keep looking.
+ w = ap_getword(r->pool, &t, ' ');
+ /* If they're letting any old authenticated user, we're off the
+ * hook!
*/
- if ((rv = check_mysql_auth_require(user, t, r))
- != HTTP_UNAUTHORIZED)
- {
- return rv;
+ if (!strcmp(w, "valid-user")) {
+ return OK;
+ }
+
+ /* Checking a list of usernames */
+ if (!strcmp(w, "user")) {
+ while (t[0]) {
+ w = ap_getword_conf(r->pool, &t);
+ if (!strcmp(user, w)) {
+ return OK;
+ }
+ }
+ } else if (!strcmp(w, "group")) {
+ /* This is the prickly one; checking whether the
+ * user is a member of a listed group.
+ */
+ while (t[0]) {
+ w = ap_getword_conf(r->pool, &t);
+ rv = mysql_check_group(r, user, (char *)w, sec);
+
+ if (rv == 1)
+ {
+ /* Yep, we're all good */
+ return OK;
+ }
+ else if (rv == -1)
+ {
+ return HTTP_INTERNAL_SERVER_ERROR;
+ }
+ }
}
+
+ /* The user is not part of any listed groups or users, and
+ * the valid-user check wasn't used.
+ */
+ return HTTP_UNAUTHORIZED;
+ }
+
+ /* If there were no requires lines, we assume we're good to go */
+ if (!method_restricted) {
+ return OK;
}
/* We don't know, and we don't really care */
