How check-ACL works

From: Rob McCool 
Newsgroups: netscape.devs-nsapi
Subject: Re: Rq->vars:path setting and Check-ACL
Date: Wed, 18 Dec 1996 16:47:05 -0800

Tom Hautesserres wrote:
> 
> Hi,
> 
> I have noticed that, if I set the rq->vars:path variable by myself,
> and I don't let the NameTrans document-root do it, then the check-ACL
> function is not called (or at least does not react).
> 
> So I guess that this check-ACL function is not only based on
> rq->vars:path, but on some other internal var. Which one ?
> 
> I already know that check-ACL does not care about auth-user but
> require the entire authorization header to be set. Is there any other
> trick for the pathnames ?

Here's some more specific information I got from the person who wrote
check-acl:


There's a lot of information missing from his description of
what he's doing.  I'll assume:

  . He's setting "path" in a NameTrans function invoked from
    the default object.

  . The check-acl function is called from a PathCheck in some
    object associated with the "path" that he sets.

If this is the case, then no otherassociated with his "path" value will get executed either, not
just the check-acl.

At the beginning of NameTrans, the variable "ppath" is set to
the requested URI.

NameTrans functions generally modify the value of "ppath" to
perform a translation.

At the end of NameTrans, the final value of "ppath" is morphed
into "path", i.e. the name of the variable is changed.

Setting "path" in a NameTrans function will result in two
"path" values in the rq->vars pblock at the end of NameTrans.

The code that determines the set of objects (in obj.conf) that
apply to a particular request is part of NameTrans processing.
It matches objects based on the value of "ppath", so setting
"path" will not cause any additional objects to be selected.
Unless the URI itself matches some objects, only the default
object will be used.

--
Rob McCool, robm@netscape.com http://home.netscape.com/people/robm/
Stunt Programmer, Netscape Communications Corporation
It was working ten minutes ago, I swear...

Reproduced by permission of the author.