Brian, a postauth filter should be just fine, you don't need preauth.
(But nor do I remember why you should prefer one over the other; I
recommend checking the AOLserver docs.) Way back when (with ACS 4.2),
I did some IP based access control by registering a filter like this:
ad_register_filter -critical t -debug t postauth * /foo/* my_access_control_proc
Note that in my case the URLs I was dealing with were not
part of any OpenACS package, so the
my_access_control_proc above was doing a big nasty query
implementing all the different access control rules (IP based, OpenACS
user/group based, etc.) at once. If the query said access is
approved, the proc just returns filter_ok. If query said
denied, send a nice templated access denied yada yada page to the
user, and return filter_return.
You'll probably also want to cache the results of that access control
proc for a limited time with util_memoize, but you can worry about
that later once you have it working.
