My client wanted me to secure his entire site, so I added .htaccess password protection. As soon as I did this, I discovered that dbman no longer asked for a login, meaning that no one could specify a dbman username. I need to restrict access of database output to only the records associated with the user logging in, so they have to be forced to log in.

I enabled that by commenting out the following lines in auth.pl:

# elsif ($server_auth) { # The user has logged in via server authentication.
# return ('ok', $server_auth, &auth_check_permissions($server_auth));
# }

But now of course the user has to log in twice... If dbman can recognize that the user is already authenticated, can it also extract the username from somewhere, so I could restore the above lines, and add code to tell it what to use for a username? That would make the site much more user friendly. Customers don't like to be hassled with multiple password requests during the same session at a site!

Any one have a fix for this?

Cheers,

Bruce

------------------
Bruce Dienes
bdienes@iname.com

Hi Bruce,

If you uncomment the lines back, then add the users into DBMan you'll be all set. If DBMan sees that the user has logged in via server authentication, it assumes the user is valid and tries to look up their permissions in the password file. If it can't find any it just displays the Home and Log Off functions.

Just add the user into the password file and that's it. It does mean you have to maintain two user lists, but saves the user from typing in the pass twice.

Cheers,

Alex

Hi Bruce,
Not sure my situation is exactly parallel so i posted it under a new topic "more double login". But this question of passing authentication arises also between multiple db files, i think.

Hello Alex,

I tried putting that code back. I also hacked the line at the beginning of db.cgi tha checks the uid so that it gets the info from the server if there is no uid specified:

$in{'uid'} ? ($db_uid = $in{'uid'}): ($db_uid = $ENV{'REMOTE_USER'} | | $ENV{'AUTH_USER'});

I have the .htaccess file pointing to the dbman password file for authentication, so there is no question of "adding the users" -- it's the same file. Whenever anyone is added to the dbman user file, they are automatically given access to the whole site via .htaccess.

The script does indeed determine the permissions, but whenever I do a search or a "List All" logged in as a normal user (with only the View permission), it returns "No Matching Records". If I log in as admin, the List All does in fact list the whole database.

I have it set that users can list only their own records. But the ones with "no matching records" did indeed have records in the database.

Is there something going on with bypassing the dbman login in that dbman does not know the uid to compare to the appropriate field for displaying only their own records? Can this be hacked into db.cgi somewhere???

Perplexedly,

Bruce


------------------
Bruce Dienes
bdienes@iname.com

I figured out the problem: Server authentication wasn't creating a uid with the random number added and the auth file for dbman to refer to. So I hacked the code in auth.pl at the beginning where it checks for server authentication, and it works like a charm now...

===============================
elsif ($server_auth) { # The user has logged in via server authentication.
srand( time() ^ ($$ + ($$ << 15)) ); # Seed Random Number
$db_uid = "$server_auth." . time() . (int(rand(100000)) + 1);# Build User Id
open(AUTH, ">$auth_dir/$db_uid") or &cgierr("unable to open auth file: $auth_dir/$uid. Reason: $!\n");
print AUTH "$uid: $ENV{'REMOTE_HOST'}\n";
close AUTH;
&auth_logging('logged on', $server_auth) if ($auth_logging);
return ('ok', $db_uid, &auth_check_permissions($server_auth));
}
=========================================

Anyone see any problems with this approach?

Ciao,

Bruce