Forum Moderators: phranque
Then today we got complaints from people trying to submit the form that after clicking "submit" they were asked for a password! D'oh! I thought. The form processing scripts are stored in /forms/forms/use/[formname]/process.php! And individual admin interfaces for the forms are at /forms/forms/use/[formname]/admin/! I am tempted to insult the programmers, but it's free and open-source so there's no point whining.
So I'm designing some .htaccess files to "Require valid-user" for everything under the /forms/ dir except for the process.php files. I thought maybe something like this would do the trick:
<Files process.php>
Require none
</Files>
...but it turns out that the Require directive can only add requirements, not remove them. Finally I came across the Satisfy directive, so now I can do this:
<Files process.php>
Order Deny,Allow
Allow from all
Satisfy any
</Files>
Why am I posting if I already have the solution? Because I noticed something that seems to contradict the manual. Merely writing "Satisfy any" seems to be enough to completely cancel the Require directive. For example, this:
AuthType Basic
AuthName "Restricted Area"
AuthUserFile "/path/to/.htpasswd"
Require valid-user
Satisfy any
...has the same effect as an empty file. So "Satisfy any" cancels Require directives, but it doesn't work the same for this:
Order Allow,Deny
Allow from nobodyisfromthisdomain.com
Satisfy any
I still get a 403 in this case.
Basically I'm wondering if I can rely on this behaviour of "Satisfy any" to cancel "Require", since the manual [httpd.apache.org] says "Satisfy" is only useful when both Require and Allow are in effect. Maybe higher up in some other config file for my server there's an Allow directive that my "Satisfy any" ends up referring to? For now I'm going to do this, to be safe:
<Files process.php>
Order Deny,Allow
Allow from all
Satisfy any
</Files>
