Now for something technically more challenging, because it cost me several hours of debugging, but was pretty simple actually. In case somebody else on the world tries to restrict read/write-permissions to a WebDav directory with the AuthExternal module, they can find a solution here :)
For my newest project in work I am setting up a project server offering Git repositories, a web page and maybe more. Something similar to GitHub but we want to maintain the repositories ourselves. I’m using Drupal for the web page and the access control and a selfwritten module (called Git Repository) for the interaction with the Git archives (I didn’t really find a matching module for this job, at least for Drupal 7).
Access to the Git Repositories is limited to http(s) via WebDav currently, using the Apache2 AuthExternal module for authentication. In the „Git Repository“-module there are two scripts which handle interaction – they connect to Drupal asking for read/write-permission to the linked node.
For checking read/write-permission I used this howto, but I had the problem it didn’t work, write access was still possible to the directory, though the script returned the correct exit-codes.
This is the .htaccess-file:
AuthType Basic
AuthName "Repository"
AuthBasicProvider external
AuthExternal git_repo
GroupExternal git_repo
<LimitExcept GET HEAD OPTIONS>
Require group may_write
</LimitExcept>
Require group may_read
According to the howto this should be correct … and it is, I tested it without GroupExternal authentication. After several hours of debugging I came up with a really simple solution:
Apparently GroupExternal does a fall-back to the default „Require group“ statement in case the limited „Require group“ statement fails. So my simple solution was to just use negative logic:
AuthType Basic
AuthName "Repository"
AuthBasicProvider external
AuthExternal git_repo
GroupExternal git_repo
<Limit GET HEAD OPTIONS>
Require group may_read
</Limit>
Require group may_write
Voila, problem solved.