Author Topic: Directory (and Limit) directive clash on wildcard vs. non-wildcard selection  (Read 644 times)

Offline samaruba

  • New user
  • *
  • Posts: 2
    • View Profile
Hi,
I have a webapp that manages FTP tree for each user, so that it must be partially manageable by webapp, and partially by the user. So, I have the following needs:
  • Homedir / is just readable (no upload, no mkdir, etc)
  • Folder "/users" is read-only (user can read, download, cwd etc)
  • any folder on root not named /users is read-only (substantially, all 1st level folders are read-only
  • And this is what I can't do: in each folder not named /users it is possible to create directories, and inside each dir it is possible to upload files. No further folders can be created

Example
/ -- root folder, it can just be read, and folders navigated
/BOOK1 -- in this folder (existance managed by webapp) user can create/remove folders, but not upload files. Folder itself can't be removed, renamed, etc.
/BOOK1/CHAPTER1 -- folder was created by user; here it is possible to upload rename delete everything, but not create folders
/BOOK2 -- (existance managed by webapp) here user can create folders, but not upload files
/users -- (existance managed by webapp) read only folder,
/users/ghostwriter1 -- read only folder (again, managed by webapp)
/users/ghostwriter1/BOOK1 -- read only folder
/users/ghostwriter1/BOOK1/CHAPTER1 -- read only folder (but if could be nice to have this folder r/w...)
etc. etc..

This is my attempt:

Code: [Select]
<Global>
  <Directory ~>
     <Limit WRITE>
         DenyAll
     </Limit>
  </Directory>
  <Directory ~/users>
     <Limit WRITE>
         DenyAll
     </Limit>
  </Directory>
  <Directory ~/*/*>
     <Limit APPE DELE RNTO STOR STOU>
         DenyAll
     </Limit>
     <Limit MKD RMD XMKD XRMD>
         AllowAll
     </Limit>     
  </Directory>
  <Directory ~/users/*/*/*/*>
     <Limit WRITE>
         DenyAll
     </Limit>
  </Directory>
  <Directory ~/*/*/*>
     <Limit APPE DELE RNTO STOR STOU>
         AllowAll
     </Limit>     
     <Limit MKD RMD XMKD XRMD>
         DenyAll
     </Limit>
  </Directory>
  <Directory ~/users/*>
     <Limit WRITE>
         DenyAll
     </Limit>
  </Directory>
</Global>


With this example, I still can create directories under /users (but not add files), and everything else works fine, but nothing for /users folder. I moved ~/users directive everywhere, but it seems that "*" directives have always precedence. I tried with DenyFilter too, but it work on single file/folder name, not on whole path, so I gave up. It seems that /*/* and /users/* clash and first has precedence over the second: always, no matter where it is placed. Correct?
So, substantially, it seems that it is NOT possible to add detailed properties for a specific folder at the same level of generic ones using wildcards. Or maybe I was unable to configure it correctly, and in case I would like to understand how I can do it: any suggestion will be greatly appreciated.

If it is not currently possible, I kindly ask if it is possible to add, in future versions, a new filtering directive, e.g. inside "Limit", that can raise a 550 Operation not permitted based on full uploading path. E.g. something like
Code: [Select]
<Directory ~/*/*>
   <Limit ALL>AllowAll</Limit>
   <Limit WRITE>DenyPath "^/users/.+$"</Limit>
</Directory>
Or add a precedence inside Directory directive, where a non-wildcarded directory can override/be evaluated after a wildcarded one.

Thank you,
Kind regards

Samuele

Offline samaruba

  • New user
  • *
  • Posts: 2
    • View Profile
Any further info about this issue?