Tags:





.htaccess files and groups
July 11, 2008 6:37 AM   RSS feed for this thread Subscribe

I'm configuring some htaccess files for multiple directories and I'm having some problems incorporating groups of authorized users.

Say there's 4 directories with protected content in each: 2005, 2006, 2007, 2008

The people that have access are subscribers. Some users have access to all directories, and some users have access only for some. Access is granted based on password or IP address/range.

For this situation I have an .htaccess file similar this in each directory:

AuthType BasicAuthName "2008 Subscriptions"AuthUserFile /path/to/password/file/2008.pwrequire valid-userSatisfy anyorder deny,allowallow from 123.123.123.123allow from 223.223.223.223allow from 123.156.0.0/16and so onand so onand so ondeny from all
This works perfectly for the situation described above.

The IP addresses in the .htaccess files and users in the password files are pretty static. Once they are in there, they usually stay. However, there is a small group of people, we'll call them editors, that is very dynamic. People are constantly being added to and removed from this list. These editors should have access to all 4 directories. Currently they are given access permission via the password file shown above. This means that if an editor is added or removed, I have to make the change in 4 different files. Sometimes they are accidentally not added or removed to all the lists and then they complain and somebody has to fix it with a lot of back and forth and yada yada.

I want to set up a group just for the editors. I want to have just one list that I have to edit instead of 4 whenever a change is made.

However, from what I find in my searching, the way to add groups is to add the line: 
AuthGroupFile /path/to/editors/file/.htgroup
and inside this file add something like:
editors: john sally joe
My questions:
How do I assign passwords to these users?

Does this mean that in addition to maintaining this htgroup file, I need to assign and maintain another password file as well?
-If so, that isn't what I want because I only want to have to edit ONE file for the editors, NOT TWO.

Is this possible?
Am I going about this the wrong way?
posted by chillmost to computers & internet (2 comments total)
First Apache verifies the user's credentials with the password file; then it checks the group file to see whether that user is authorized. As far as I can tell, it doesn't allow you to combine password and group information into one file. There is an option to do so with mod_auth_dbm, but I've never tried it. (What version of Apache are you running?)

Is editing two files (independent of the number of protected directories) really such a big deal? If it is, why not just create a simple shell script that modifies both files for you?
posted by teraflop at 9:50 AM on July 11, 2008


Is editing two files (independent of the number of protected directories) really such a big deal?

Yes. It increases the possibility of error that we are trying to reduce. If I understand you correctly, this would actually increase the number of files I would have to edit. It seems that the way we have it now is the easiest.
If it is, why not just create a simple shell script that modifies both files for you?

Because I don't know how. See you in a week with my new question about writing shell scripts. ;-)

Actually, I'll see if I can whip up a little php/mysql backend thingie that will regenerate the files every time a change is made.
posted by chillmost at 1:30 AM on July 12, 2008


« Older Our pug has always had breathi...   |   How can I get Quicksilver-styl... Newer »
This thread is closed to new comments.