I had a site where an entire subdirectory was private. Nobody but the author could read or write those pages. I had configured Apache to require authentication for this subdirectory.
The config looked a bit like this:
<LocationMatch "^/(edit|save|add|append|upload|drop|view/secret)/"> AuthType Basic AuthName "Password Required" AuthUserFile /home/oddmu/.htpasswd Require valid-user </LocationMatch>
Note the addition of `view/secret`.
But yesterday I realized that you can run a search in the root. Such a search includes all the pages in subdirectories, and so Oddmu served an extract of the pages in the "secret" subdirectory. Adding `|search/secret` to the `LocationMatch` doesn't help.
I had to decide whether to disable search all together, or disable the search of subdirectories, or add a new feature.
I added a new feature.
It is tied to an environment variable called `ODDMU_FILTER`. It matches the directory being searched and the directory where the search starts. If the directory doesn't match, the pages returned must also not match; if the directory does match, the pages returned must also match.
Here's an example of three pages:
The environment variable is set: `ODDMU_FILTER=^secret/` – what happens now?
Naturally, you still need to change to the web server config for the actual authentication to happen:
<LocationMatch "^/(edit|save|add|append|upload|drop|view/secret|search/secret)/"> AuthType Basic AuthName "Password Required" AuthUserFile /home/oddmu/.htpasswd Require valid-user </LocationMatch>
I hope I got it right! It's also documented in the oddmu-apache(5) man page.
#Oddµ