On Tue, 15 Mar 2005 15:09:23 +0200, Claudiu Sebe <csebe@xxxxx> wrote:
> Hello all,
>
> Here is the story:
>
> In a certain directory, users authenticate through mod_auth user/pass
> mecanism like:
> ####
> <Directory /var/www/localhost/protected>
> Options +FollowSymLinks +Indexes
> AuthName "Client Login"
> AuthType Basic
> AuthUserFile /var/www/passes/.htpass
> Require valid-user
> ####
>
> The /protected directory looks like:
> /protected
> /user1
> /user2
> ...
>
> After authentication I need to redirect the user to their directory based on
> the login name, so in the same <Directory...> directive, I put:
> ####
> RewriteEngine on
> RewriteRule ^$ /protected/%{REMOTE_USER}/$1 [L,R]
> ####
>
> Till here works ok. But I'd like to avoid that users knowing the full path
> to other users' directory, being able to enter there.
> IMHO what I need can't be done only with mod rewrite. Can anyone show me
> wrong 8-) ?
I think there is something you aren't telling us, since your above
RewriteRule should create an infinite loop (it will hit again on the
request to /protected/%{REMOTE_USER}). And in addition, the $1
doesn't match anything.
The way I would handle this (and there are probably others), is to
remove the "R" from your RewriteRule. That way the users won't have
any choice (or knowledge) about the specific subdirectory that they
are entering. It would look something like
RewriteRule (.*) /full/path/to/protected/%{REMOTE_USER}/$1 [L]
One way to avoid the infinite loop problem would be to put
/full/path/to/protected someplace outside the DocumentRoot.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|