On 14 Apr 2015, at 7:38 PM, Jose Kahan <[email protected]> wrote:
> require sql-query "SELECT * FROM foo WHERE user=${REMOTE_USER}
> AND uri=${REQUEST_URI} AND ${REQUEST_METHOD} in
> ('GET', 'POST')"
>
> While browsing for information regarding this point, I only
> found people asking if this was possible, but no hints if there
> had been (or will be) plans to do this.
>
> The defunct mod_auth_mysql used to propose something similar. i
> This module is not officially maintained anymore.
>
> A possible point of confusion in the module's doc [1] is the
> phrase saying
>
> "Since v2.4.8, expressions are supported within the DBD
> require directives.”
Hmmm…
The limitations we’d have to work with is that all the queries are prepared
statements, and are reused for multiple requests. At the same time any query
that is interpreted purely as a string would need to be protected against SQL
injection.
One possible way of approaching this would be to extend the dbd-login and
dbd-logout require directives with optional expression parameters, which can
then be referred to in the prepared statement, so you could do this:
Require dbd-login %{REQUEST_URI} %{REQUEST_METHOD} %{REMOTE_USER}
AuthzDBDQuery "UPDATE authn SET uri = %s, method = %s WHERE user = %s”
Require dbd-logout %{TIME} %{REMOTE_USER}
AuthzDBDQuery "UPDATE authn SET logout_time = %s WHERE user = %s”
To be backwards compatible, "Require dbd-login” on it’s own would imply
"Require dbd-login %{REMOTER_USER}”.
One possible approach to support completely generic queries might be as follows:
Require dbd-query %{REQUEST_URI} %{REMOTE_USER}
AuthzDBDQuery “SELECT count(user) FROM authn WHERE uri=%s AND user = %s”
The bit above where you’d limit the requests to GET or POST you’d probably do
with Limit or LimitExcept.
Regards,
Graham
—
