Forum OpenACS Q&A: How do I constrain an OpenACS web-site

Request notifications

I'm wondering which is the easiest way to constrain an OpenACS 3.2.4 web-site, so that users cannot access pages/modules, which I don't want the user to see and mess around with.

The obvious way is to delete all www-subdirectories that are not used. But this makes it difficult to add features later! Any suggestions?

Collapse
Posted by Mike Slack on
Well, you could put an ns_returnredirect at the tops of pages you
don't want users to see.  It will send them to whatever page you specify.

Or you could insert something like this at the top of the pages:

ns_return 404 text/html [not_found_message]

where not_found_message is a procedure you have defined that will
produce an html page with whatever message you want users to get when
they request a "not found" page.

One thing I don't remember is if Aolserver will process the rest of
the page if you put an ns_return or ns_returnredirect at the top.
Does anyone else know the answer to this?

Collapse
Posted by Ola Hansson on
I second Mike's first proposal.

You can do it the way it's done in /shared/index.tcl; just one line:
ns_returnredirect "filenotfound", and then rename the original index.tcl file index.tcl.old in the involved module.
(And no, it won't process the rest of the page)

BTW Martin, your site looks *good*:-)

Collapse
Posted by Ola Hansson on
...I specifically meant that Martin's newly posted site in the 'sites that run on OpenACS' section looks good;-)
Collapse
Posted by Don Baccus on
You can also do it by registering filters.  If you're just using a few  modules, you could register filters that allow URLs of the proper form (everything in /bboard, for instance) and reject those not on the  list, redirecting them to a "sorry charlie" page.  Much easier than changing all the pages, but more overhead per page.

Since everything in /admin is normally restricted to administrators, you can leave that open so you can add modules using the UI later (remembering to then add them to the list of "allowed URLs" in your filter).

Collapse
Posted by Michael A. Cleverly on
"One thing I don't remember is if Aolserver will process the rest of the page if you put an ns_return or ns_returnredirect at the top. Does anyone else know the answer to this?"
An ns_return does not terminate processing. A return [ns_return ...] will do the trick. Otherwise AOLserver starts feeding up a page to the user & continues processing.