Forum OpenACS Q&A: AS4: using nsperm?

Posted by Randy O'Meara on
Has anyone successfully used the nsperm module with AOLserver 4? I moved a known good configuration from AS 3.3+oacs1 server to AS 4 beta server and it fails to present the credential dialog box. Before I go on to upgrading AS to the current release, I'd like to know that someone has successfully used the nsperm module under AS4.

BTW, the nsperm module loads normally without indicating a problem.



2: Re: AS4: using nsperm? (response to 1)
Posted by Jamie Rasmussen on
It looks like nsperm had a fair amount of code cleanup in AOLserver 4, so you'll want to confirm that you fetched the 4 version of the module from CVS and compiled that. (I don't think there were many functional changes.)

I believe there's a serious but easily fixed bug in AOLserver 4.x's nsperm - someone please correct me if I'm wrong. (I emailed the ACT about this in Nov. but didn't get a response and forgot about it.) It looks to me like the logic for implicit allow's is reversed. As I understand it, what is supposed to happen is that an "allowgroup" command in the perms file implicitly denies access to other groups, and a "denygroup" command in the perms file implicitly allows access to other groups. Currently, in AllowDenyCmd, permPtr->implicit_allow is set to 1 for the allow commands and 0 for the deny commands, the opposite of what should happen.

Here's a patch (last is only important one)

cvs server: Diffing .
Index: nsperm.c
RCS file: /cvsroot/aolserver/aolserver/nsperm/nsperm.c,v
retrieving revision 1.8
diff -u -r1.8 nsperm.c
--- nsperm.c    7 Mar 2003 18:08:50 -0000       1.8
+++ nsperm.c    5 Feb 2004 03:13:26 -0000
@@ -242,7 +242,7 @@
  * AuthProc --
  *     Authorize a URL--this callback is called when a new
- *     connection is recieved
+ *     connection is received
  * Results:
  *     NS_OK: accept;
@@ -312,7 +312,7 @@

-     * Check for a vaild user address.
+     * Check for a valid user address.

     if (!ValidateUserAddr(userPtr, peer)) {
@@ -833,7 +833,7 @@
        Tcl_InitHashTable(&permPtr->denygroup, TCL_STRING_KEYS);
        Ns_UrlSpecificSet(servPtr->server, method, url, uskey, permPtr, flags, NULL);
-    permPtr->implicit_allow = allow;
+    permPtr->implicit_allow = !allow; // JCR: Implicitly we do the opposite of the command
     if (user) {
        if (allow) {
             (void) Tcl_CreateHashEntry(&permPtr->allowuser, key, &new);
3: Re: AS4: using nsperm? (response to 1)
Posted by Randy O'Meara on
Thank you, Jamie.

Just to clarify... you have nsperm working with AS4 with the patch you provided, and it will not work without your patch?


4: Re: AS4: using nsperm? (response to 3)
Posted by Jamie Rasmussen on
That's correct - I'm running a custom build of AOLserver 4.0 GM with various patches on Win32, so your mileage may vary.  nsperm wasn't working for me without my patch.  At least basic nsperm functionality is now working.

If you can avoid using nsperm, I would recommend it, simply because it isn't very flexible, e.g. you have to restart the server to make changes to permissions.

5: Re: AS4: using nsperm? (response to 1)
Posted by Randy O'Meara on
Thanks again, Jamie.

Just to finish up this thread... I did apply your patch (manually) and nsperm worked as expected.

I also took your advice and abandoned its use.