Forum OpenACS Q&A: Re: AS4: using nsperm?

2: Re: AS4: using nsperm? (response to 1)
Posted by Jamie Rasmussen on
It looks like nsperm had a fair amount of code cleanup in AOLserver 4, so you'll want to confirm that you fetched the 4 version of the module from CVS and compiled that. (I don't think there were many functional changes.)

I believe there's a serious but easily fixed bug in AOLserver 4.x's nsperm - someone please correct me if I'm wrong. (I emailed the ACT about this in Nov. but didn't get a response and forgot about it.) It looks to me like the logic for implicit allow's is reversed. As I understand it, what is supposed to happen is that an "allowgroup" command in the perms file implicitly denies access to other groups, and a "denygroup" command in the perms file implicitly allows access to other groups. Currently, in AllowDenyCmd, permPtr->implicit_allow is set to 1 for the allow commands and 0 for the deny commands, the opposite of what should happen.

Here's a patch (last is only important one)

cvs server: Diffing .
Index: nsperm.c
RCS file: /cvsroot/aolserver/aolserver/nsperm/nsperm.c,v
retrieving revision 1.8
diff -u -r1.8 nsperm.c
--- nsperm.c    7 Mar 2003 18:08:50 -0000       1.8
+++ nsperm.c    5 Feb 2004 03:13:26 -0000
@@ -242,7 +242,7 @@
  * AuthProc --
  *     Authorize a URL--this callback is called when a new
- *     connection is recieved
+ *     connection is received
  * Results:
  *     NS_OK: accept;
@@ -312,7 +312,7 @@

-     * Check for a vaild user address.
+     * Check for a valid user address.

     if (!ValidateUserAddr(userPtr, peer)) {
@@ -833,7 +833,7 @@
        Tcl_InitHashTable(&permPtr->denygroup, TCL_STRING_KEYS);
        Ns_UrlSpecificSet(servPtr->server, method, url, uskey, permPtr, flags, NULL);
-    permPtr->implicit_allow = allow;
+    permPtr->implicit_allow = !allow; // JCR: Implicitly we do the opposite of the command
     if (user) {
        if (allow) {
             (void) Tcl_CreateHashEntry(&permPtr->allowuser, key, &new);