At 11:26 AM 5/23/00 -0500, James G Smith wrote:
>Ken Miller <[EMAIL PROTECTED]> wrote:
>>I'm using Apache::AuthCookie for general authentication/authorization for a
>>site I'm working on. However, there's a requirement for fine-grained
>>authorization down to the page level - a user may have access to most pages
>>in a directory, but be disalllowed access to a single page. Note that the
>>pages in question are in a single directory.
>Short answer is `yes, it can be done.' Next comes the question of how...
>
>What we don't want is the login page being presented if a valid user is
>accessing the page. What you could do is return the proper error status
when
>the person is unauthorized, and then in the error document check to see if
the
>person has authenticated or not (basically, a valid $ENV{REMOTE_USER} or
>equivalent). If so, then throw up a page explaining that they do not have
>proper permissions. Otherwise, present the login page.
>
>I'm not familiar with Apache::AuthCookie enough (or haven't looked at it
>recently enough) to know exactly how the above would be accomplished, or how
>Apache::AuthCookie would interact with the ErrorDocument, but it would seem
>the cleanest way to me.
Well, it appears that I has having a bit of a brain cramp. AuthCookie
already behaves this way, so I have idea what I was doing to make it always
jump back to the login page. I tried it again, and sure enough I got the
403 error page when already logged in. If I'm not logged in, I get the
login page.
All I have to do now is (I think) extend the authz handler methods to make
sure that the user not only has general access to the uri directory, but to
the specific uri as well.
Sorry for the wasted bandwidth.
Thanks.
Cheers!
-klm.
-------------------------------------------
Ken Miller, Consultant
Shetland Software Services Inc.
