Forum OpenACS Q&A: Re: Restrict access to a package based on IP address range?

Posted by Brian Fenton on
Cool! Thanks Malte. So, it's preauth I want, not postauth? The AOLserver docs say that postauth means "before page data has been returned to the user" so I guess that's too late in the process. So preauth it is.

I took a look in /packages/acs-subsite/tcl/acs-subsite-init.tcl but all the code is commented out.  /tcl/0-acs-init.tcl doesn't have any filters either. Is there another place to put filters?

Brian, a postauth filter should be just fine, you don't need preauth. (But nor do I remember why you should prefer one over the other; I recommend checking the AOLserver docs.) Way back when (with ACS 4.2), I did some IP based access control by registering a filter like this:

ad_register_filter -critical t -debug t postauth * /foo/* my_access_control_proc

Note that in my case the URLs I was dealing with were not part of any OpenACS package, so the my_access_control_proc above was doing a big nasty query implementing all the different access control rules (IP based, OpenACS user/group based, etc.) at once. If the query said access is approved, the proc just returns filter_ok. If query said denied, send a nice templated access denied yada yada page to the user, and return filter_return.

You'll probably also want to cache the results of that access control proc for a limited time with util_memoize, but you can worry about that later once you have it working.

Posted by Jeff Davis on
I think its tricky to use postauth filters since the request processor hijacks everything and runs as a preauth filter (iirc). You should definitely be careful to make sure the filter is in fact invoked for all requests.