[mod_python] Which handler? (WebDav AA system)

On 10/10/2007, Damjan Georgievski <gdamjan at gmail.com> wrote:
> > If your authenhandler determines that something is public, it can fake
> > that a user has logged in by setting req.user, req.ap_auth_type
> > appropriately and returning OK.
>
> But still, the apache conf will prompt the user for a user/pass ...
> I'm rethinking this part now... The public part can be in another
> namespace (url space).

It will not still prompt for a user/password. This would only occur if
something returned HTTP_UNAUTHORIZED. If you return OK and provided
you also set req.user to some dummy user name such as 'anonymous' to
trick Apache internals so it thinks the user has been authenticated it
can be made to work.

> > There are some examples that might get you started in the mailing list
> > archives searchable from the www.modpython.org site. Beyond that you
> > need to sketch out a bit better what your ideas are for doing it as
> > far as hooking into user databases and directive options for Require
> > that you might want to use. Depending on user database source, there
> > are possibly other modules for Apache available that could also be
> > used.
>
> I don't have any requirements for a database source ... I intended to
> use a simple pickled dictionary to store the user/pass info - just as
> a quick way of storing the info. (Wrinting the pickle wil be rare
> anyway).
>
> BTW,
> any particular modules in mind that I could use??

Even if only to model what you are trying to do, I would explore the
Limit, LimitExcept and Require directives of Apache. This would allow
you in conjunction with group AuthUserFile and AuthGroupFile to at
least work out how you might do this all in Apache for authenticated
users without having to resort to using mod_python in the first place.
It is entirely possible that this itself may be able to be harnessed
to avoid authentication for public read only access.

Sorry, don't have much time to go into this in depth right now.

Graham