1. Home
  2. Forums Index
  3. Server Side / Apache Web Server 12:28 pm May 2, 2026

Forum Moderators: phranque

Message Too Old, No Replies

Access control with LimitExcept

         

benvh

9:55 pm on Oct 3, 2006 (gmt 0)

10+ Year Member



Hi all,

I'm in the process of configuring a WebDAV-enabled site, and have run stuck trying to get user authorization working the way I want it to. Specifically:

1. Unauthenticated users shouldn't be able to see anything;
2. Users who are members of specific groups should have full read/write access;
3. Everyone else (authenticated, but not members of the aforementioned groups) should be able to browse the site read-only.

Here's the relevant portion of the configuration that I've been trying to make work, in vain:

<Directory /foo>
Dav On
Require valid-user
<LimitExcept OPTIONS GET REPORT PROPFIND>
Require group admin
</LimitExcept>
</Directory>

The problem is that the first "Require valid-user" seems to override the LimitExcept clause; what actually happens is that all valid-users (not just group admin) get read-write access. If I remove the "Require valid-user" line, then EVERYBODY (even unauthenticated users) can browse the site read-only -- but members of group admin do, indeed, get full write access. I've tried adding a "Satisfy All", as well, but it has no apparent effect.

I suspect that I'm on the wrong track completely, but don't know how else to make this work. Any suggestions, or am I SOL?

Thanks,

Ben

jdMorgan

3:18 pm on Oct 4, 2006 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



I don't know anything about DAV, but try reversing the restriction priority: That is, define what admin group can do first, and then further restrict the 'users' using <LimitExcept>

The way it was written, it said that all valid users can do anything, but admin auth is further required when using any methods except the ones listed. But because admins are still "valid users," the effect was nil.

Try something like: 


<Directory /foo>
Dav On
<Limit OPTIONS GET REPORT PROPFIND>
Require group admin
</Limit>
<LimitExcept OPTIONS GET REPORT PROPFIND>
Require valid-user
</LimitExcept>
</Directory>

I'm basically guessing here, so I hope that helps.

Jim

benvh

10:45 pm on Oct 12, 2006 (gmt 0)

10+ Year Member



Well, that certainly seems reasonable. And lo and behold, it works! Thank goodness for people who actually understand Apache access control directives :^). I did have to swap the "Require"s between the two Limit blocks, thusly:

<Directory /foo>
Dav On
<Limit OPTIONS GET REPORT PROPFIND>
Require valid-user
</Limit>
<LimitExcept OPTIONS GET REPORT PROPFIND>
Require group admin
</LimitExcept>
</Directory>

...which I guess makes sense, if I'm understanding this right: the first Limit block says that you need to be a valid user to be allowed access to the listed methods (providing read-only access), and then the second says that you need to be in the admin group (which implies also being a valid user) to do anything else. Cool.

Thanks much for your help!

 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. Server Side / Apache Web Server 12:28 pm May 2, 2026