Forum
RequiredGroup prevents access or just changes to files?
August
25 August 2012, 10:08
Hiawatha version: hiawatha-8.4.tar.gz
Operating System: Linux
The manual says at one point groupname determines access, at another point that it regulates PUT and DELETE HTTP requests.
I put each user in his own group. Each user directory has a .hiawatha file with RequiredGroup = group_of_user.
Nonetheless the server displays the default page of the user directory without an error. Is this the expected behaviour?
Operating System: Linux
The manual says at one point groupname determines access, at another point that it regulates PUT and DELETE HTTP requests.
I put each user in his own group. Each user directory has a .hiawatha file with RequiredGroup = group_of_user.
Nonetheless the server displays the default page of the user directory without an error. Is this the expected behaviour?
August
27 August 2012, 09:31
Sorry, I got it wrong in the question above. The groups file is simply not regarded if one redirects a 401 error to a file of another user.
But my issue stems from the following:
A user is authenticated and requests a file from the directory of another user. The other user is in the same realm but not in the same group.
Hiawatha asks the user to authenticate again. If the user cannot provide the credentials of the other user Hiawatha sends an error 401.
Why does Hiawatha not throw an error 403? The user is already authenticated but lacks the right group membership to access the file.
At least Apache 1 checks the groups file first and only when user is member the password is checked (http://httpd.apache.org/docs/1.3/howto/auth.html).
I like to redirect on wrong group membership without another prompt interaction.
But my issue stems from the following:
A user is authenticated and requests a file from the directory of another user. The other user is in the same realm but not in the same group.
Hiawatha asks the user to authenticate again. If the user cannot provide the credentials of the other user Hiawatha sends an error 401.
Why does Hiawatha not throw an error 403? The user is already authenticated but lacks the right group membership to access the file.
At least Apache 1 checks the groups file first and only when user is member the password is checked (http://httpd.apache.org/docs/1.3/howto/auth.html).
I like to redirect on wrong group membership without another prompt interaction.
Hugo Leisink
27 August 2012, 21:49
I've changed this behaviour in the RC1 release. Please, test it and let me know if this is what you want.
This topic has been closed.
Copyright © by Hugo Leisink. All rights reserved.
Built upon the Banshee PHP framework.
Built upon the Banshee PHP framework.
