Matt - That method didn't work for me... it got into an internal recursion and bombed out after 10 redirects. I think you do perhaps need to test for something to stop it going on forever.
Andre - I think you are right... that's why you still need to have a "Require user <user>" in a seperate directive for each directory.... it's a pain but the only way I can see it working. I think perhaps you could write a macro to automatically add this directive for each directory - but I haven't got into that yet. Steve On Thu, Feb 5, 2009 at 6:41 PM, André Warnier <a...@ice-sa.com> wrote: > Matt McCutchen wrote: > >> On Thu, 2009-02-05 at 18:01 +1000, Steve Dalton wrote: >> >>> I managed to do something similar in the end, using the prefix user_ >>> for each user directory then adding .htaccess to root dir of: >>> >>> AuthType Basic >>> AuthName "Restricted Files" >>> AuthUserFile /var/www/passwd/htpasswd >>> Require valid-user >>> >>> RewriteEngine on >>> RewriteCond $1 !^user_ >>> RewriteCond %{REMOTE_USER} ^([a-z0-9_]+)$ >>> RewriteRule (.*) /var/www/accesstest/user_%1/$1 [ >>> >>> The only problem with this is that any user could access other users >>> directories... so I then had to add an additional .htaccess of >>> require user spidie >>> >>> to the user_spidie directory... etc etc. >>> >> >> If you put the rewrite rules in the main server configuration rather >> than an htaccess file, you don't have to worry about them being run >> multiple times, so you can drop the user_ prefix and condition. You >> don't need to condition on %{REMOTE_USER} either because rewrite rules >> don't run until after the user gains authorization. The rule I gave >> earlier (updated for your directory name) should just work: >> >> RewriteRule ^(.*)$ /var/www/accesstest/%{REMOTE_USER}/$1 >> >> (Not trying to be sarcastic here, it's a genuine question) > > What happens if Evil Hacker me, logs in as user1 and then request in my > browser http://foo.com/../user2/index.html ? > Taken literally, the RewriteRule above should rewrite this as > /var/www/accesstest/user1/../user2/index.html > no ? > Is some other inner security measure stripping that .. somewhere ? > > > > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP Server Project. > See <URL:http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > " from the digest: users-digest-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > > -- I did have a signature, but the dog ate it. google:steve.dalton | skype:spidieman | msn: m...@steve.dalts.net | yahoo:daltonsp | aol: spidie100 | twitter: @spidie | mynetfone:09203861