4

I would like to be able to do this:

<LocationMatch ^/secret/(.+?)>
  <Limit GET>
    Require group member
  </Limit>
  <LimitExcept GET>
    Require group member
    Require group contributor
  </LimitExcept>
</LocationMatch>

"Require group" lets you suggest lots of groups that are considered with an OR; I require some kind of AND. Satisfy all seems to only influence Require when used with Allow.

Is there a way of controlling group membership with Require/AND?

(I should point out that we are using Atlassian Crowd's Perl module as our group provider, so if it's possible to implement this in the handler, that would work too.)

crb
  • 7,928
  • 37
  • 53

1 Answers1

2

This is a limitation of basic auth. It is basic :) Though this does not directly answer your question, I will offer that if you have an LDAP directory to manage people, you can do something like "Require Filter (|(memberof=group1DN)(memberof=group2DN))" from mod_authz_ldap which would pass if the user was a member of either of those groups. You have more control over it, but obviously that would require a lot more setup than the basic filter. A WHOLE lot more if you don't have users in LDAP.

Alex
  • 6,477
  • 1
  • 23
  • 32
  • Thanks, the answer I hit upon was to implement a "Require allgroups" in the Perl authz module. The answer is "no, you cannot do this with mod_access". – crb Mar 10 '10 at 08:27