Author Topic: Directory (and Limit) directive clash on wildcard vs. non-wildcard selection  (Read 45 times)

Offline samaruba

  • New user
  • *
  • Posts: 1
    • View Profile
Hi,
I have a webapp that manages FTP tree for each user, so that it must be partially manageable by webapp, and partially by the user. So, I have the following needs:
  • Homedir / is just readable (no upload, no mkdir, etc)
  • Folder "/users" is read-only (user can read, download, cwd etc)
  • any folder on root not named /users is read-only (substantially, all 1st level folders are read-only
  • And this is what I can't do: in each folder not named /users it is possible to create directories, and inside each dir it is possible to upload files. No further folders can be created

Example
/ -- root folder, it can just be read, and folders navigated
/BOOK1 -- in this folder (existance managed by webapp) user can create/remove folders, but not upload files. Folder itself can't be removed, renamed, etc.
/BOOK1/CHAPTER1 -- folder was created by user; here it is possible to upload rename delete everything, but not create folders
/BOOK2 -- (existance managed by webapp) here user can create folders, but not upload files
/users -- (existance managed by webapp) read only folder,
/users/ghostwriter1 -- read only folder (again, managed by webapp)
/users/ghostwriter1/BOOK1 -- read only folder
/users/ghostwriter1/BOOK1/CHAPTER1 -- read only folder (but if could be nice to have this folder r/w...)
etc. etc..

This is my attempt:

Code: [Select]
<Global>
  <Directory ~>
     <Limit WRITE>
         DenyAll
     </Limit>
  </Directory>
  <Directory ~/users>
     <Limit WRITE>
         DenyAll
     </Limit>
  </Directory>
  <Directory ~/*/*>
     <Limit APPE DELE RNTO STOR STOU>
         DenyAll
     </Limit>
     <Limit MKD RMD XMKD XRMD>
         AllowAll
     </Limit>     
  </Directory>
  <Directory ~/users/*/*/*/*>
     <Limit WRITE>
         DenyAll
     </Limit>
  </Directory>
  <Directory ~/*/*/*>
     <Limit APPE DELE RNTO STOR STOU>
         AllowAll
     </Limit>     
     <Limit MKD RMD XMKD XRMD>
         DenyAll
     </Limit>
  </Directory>
  <Directory ~/users/*>
     <Limit WRITE>
         DenyAll
     </Limit>
  </Directory>
</Global>


With this example, I still can create directories under /users (but not add files), and everything else works fine, but nothing for /users folder. I moved ~/users directive everywhere, but it seems that "*" directives have always precedence. I tried with DenyFilter too, but it work on single file/folder name, not on whole path, so I gave up. It seems that /*/* and /users/* clash and first has precedence over the second: always, no matter where it is placed. Correct?
So, substantially, it seems that it is NOT possible to add detailed properties for a specific folder at the same level of generic ones using wildcards. Or maybe I was unable to configure it correctly, and in case I would like to understand how I can do it: any suggestion will be greatly appreciated.

If it is not currently possible, I kindly ask if it is possible to add, in future versions, a new filtering directive, e.g. inside "Limit", that can raise a 550 Operation not permitted based on full uploading path. E.g. something like
Code: [Select]
<Directory ~/*/*>
   <Limit ALL>AllowAll</Limit>
   <Limit WRITE>DenyPath "^/users/.+$"</Limit>
</Directory>
Or add a precedence inside Directory directive, where a non-wildcarded directory can override/be evaluated after a wildcarded one.

Thank you,
Kind regards

Samuele

Offline Julle

  • New user
  • *
  • Posts: 1
    • View Profile
Im guessing that its good for the devs to know that its more than one person that is asking for this so here is my voice for it aswell // Julle
All info is good info.

 

sighted planning