2024-02-14 Oddµ bug maybe
==========================
I had a site where an entire subdirectory was private. Nobody but the
author could read or write those pages. I had configured Apache to
require authentication for this subdirectory.
The config looked a bit like this:
AuthType Basic
AuthName "Password Required"
AuthUserFile /home/oddmu/.htpasswd
Require valid-user
Note the addition of view/secret.
But yesterday I realized that you can run a search in the root. Such a
search includes all the pages in subdirectories, and so Oddmu served
an extract of the pages in the "secret" subdirectory. Adding
|search/secret to the LocationMatch doesn't help.
I had to decide whether to disable search all together, or disable the
search of subdirectories, or add a new feature.
I added a new feature.
It is tied to an environment variable called ODDMU_FILTER. It matches
the directory being searched and the directory where the search
starts. If the directory doesn't match, the pages returned must also
not match; if the directory does match, the pages returned must also
match.
Here's an example of three pages:
* /a
* /public/b
* /secret/c
The environment variable is set: ODDMU_FILTER=^secret/ – what happens
now?
* If you search from the root (doesn't match the filter), then only
pages a and b are searched (they also don't match the filter).
* If you search from /public (doesn't match the filter), then only
page b is searched (also doesn't match the filter). This behaviour
is unchanged from before. Searches start with the directory the user
is looking at.
* If you search from /secret (matches the filter), then only page c is
searched (also matches the filter). This, too, is unchanged from
before.
Naturally, you still need to change to the web server config for the
actual authentication to happen:
AuthType Basic
AuthName "Password Required"
AuthUserFile /home/oddmu/.htpasswd
Require valid-user
I hope I got it right! It's also documented in the oddmu-apache(5)
man page.
#Oddµ