-v1.0.2 (Jan Wolter - not yet released)
+v1.0.2 (Jan Wolter - May 21, 2009)
------------------------------------
- * Adding copyright and Apache Version 2.0 license
+ * Adding copyright and Apache Version 2.0 license in LICENSE and NOTICE
+ files.
+ * New directive: AuthzUnixgroupError, can be used to specify the HTTP
+ error number to be returned on failure.
v1.0.1 (Jan Wolter - Aug 6, 2008)
------------------------------------
Then a user will be able to access a file if and only if that file is owned
by a group of which the user is a member.
+Normally, when an access check fails, mod_authz_unixgroup will return a
+HTTP 401 error. This will typically cause the browser to pop up a message
+saying "Authentication Failed" and then the browser will ask for a new login
+name. In some cases this is not the desired behavior. If you are using the
+"Require file-group" directive, you may not want to log the user off every time
+he hits a file he doesn't have access to. Maybe you'd rather just show a
+"Permission denied message" and not log him off. You could do that by
+directing mod_authz_unixgroup to return a 403 error instead of a 401 error.
+You can do this with the following directive:
+
+ AuthnzUnixgroupError 403
+
By default, mod_authz_unixgroup is authoritative. If you want to use more
than one group checker, like mod_authz_unixgroup together with
mod_authz_groupfile or mod_authz_dbm, then you'll want to make them non-
{
int enabled;
int authoritative;
+ char *errcode;
} authz_unixgroup_dir_config_rec;
dir->enabled= 0;
dir->authoritative= 1; /* strong by default */
+ dir->errcode= NULL; /* default to 401 */
return dir;
}
"Set to 'off' to allow access control to be passed along to lower "
"modules if this module can't confirm access rights" ),
+ AP_INIT_TAKE1("AuthzUnixgroupError",
+ ap_set_string_slot,
+ (void *)APR_OFFSETOF(authz_unixgroup_dir_config_rec, errcode),
+ OR_AUTHCFG,
+ "HTTP error code to return when user is not in group" ),
+
{ NULL }
};
ap_get_module_config(r->per_dir_config, &authz_unixgroup_module);
int m= r->method_number;
- int required_group= 0;
- register int x;
+ int i,ret;
const char *t, *w;
const apr_array_header_t *reqs_arr= ap_requires(r);
const char *filegroup= NULL;
+ int required_group= 0;
require_line *reqs;
/* If not enabled, pass */
reqs= (require_line *)reqs_arr->elts;
/* Loop through the "Require" argument list */
- for(x= 0; x < reqs_arr->nelts; x++)
+ for(i= 0; i < reqs_arr->nelts; i++)
{
- if (!(reqs[x].method_mask & (AP_METHOD_BIT << m))) continue;
+ if (!(reqs[i].method_mask & (AP_METHOD_BIT << m))) continue;
- t= reqs[x].requirement;
+ t= reqs[i].requirement;
w= ap_getword_white(r->pool, &t);
/* The 'file-group' directive causes mod_authz_owner to store the
/* Authentication failed and we are authoritive, declare unauthorized */
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
- "access to %s failed, reason: user %s not allowed access",
- r->uri, r->user);
+ "access to %s failed, reason: user %s not allowed access (%s)",
+ r->uri, r->user, dir->errcode);
ap_note_basic_auth_failure(r);
- return HTTP_UNAUTHORIZED;
+
+ return (dir->errcode && (ret= atoi(dir->errcode)) > 0) ? ret :
+ HTTP_UNAUTHORIZED;
}
static void authz_unixgroup_register_hooks(apr_pool_t *p)