This file is indexed.

/usr/share/doc/libapache2-mod-python-doc/doc-html/hand-pub-alg-auth.html is in libapache2-mod-python-doc 3.3.1-11.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below.

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<link rel="STYLESHEET" href="modpython.css" type='text/css' />
<link rel="first" href="modpython.html" title='Mod_python Manual' />
<link rel='contents' href='contents.html' title="Contents" />
<link rel='index' href='genindex.html' title='Index' />
<link rel='last' href='about.html' title='About this document...' />
<link rel='help' href='about.html' title='About this document...' />
<link rel="prev" href="hand-pub-alg-args.html" />
<link rel="parent" href="hand-pub-alg.html" />
<link rel="next" href="node103.html" />
<meta name='aesop' content='information' />
<title>7.1.2.3 Authentication</title>
</head>
<body>
<DIV CLASS="navigation">
<div id='top-navigation-panel' xml:id='top-navigation-panel'>
<table align="center" width="100%" cellpadding="0" cellspacing="2">
<tr>
<td class='online-navigation'><a rel="prev" title="7.1.2.2 Argument Matching and"
  href="hand-pub-alg-args.html"><img src='previous.png'
  border='0' height='32'  alt='Previous Page' width='32' /></A></td>
<td class='online-navigation'><a rel="parent" title="7.1.2 The Publishing Algorithm"
  href="hand-pub-alg.html"><img src='up.png'
  border='0' height='32'  alt='Up One Level' width='32' /></A></td>
<td class='online-navigation'><a rel="next" title="7.1.3 Form Data"
  href="node103.html"><img src='next.png'
  border='0' height='32'  alt='Next Page' width='32' /></A></td>
<td align="center" width="100%">Mod_python Manual</td>
<td class='online-navigation'><a rel="contents" title="Table of Contents"
  href="contents.html"><img src='contents.png'
  border='0' height='32'  alt='Contents' width='32' /></A></td>
<td class='online-navigation'><img src='blank.png'
  border='0' height='32'  alt='' width='32' /></td>
<td class='online-navigation'><a rel="index" title="Index"
  href="genindex.html"><img src='index.png'
  border='0' height='32'  alt='Index' width='32' /></A></td>
</tr></table>
<div class='online-navigation'>
<b class="navlabel">Previous:</b>
<a class="sectref" rel="prev" href="hand-pub-alg-args.html">7.1.2.2 Argument Matching and</A>
<b class="navlabel">Up:</b>
<a class="sectref" rel="parent" href="hand-pub-alg.html">7.1.2 The Publishing Algorithm</A>
<b class="navlabel">Next:</b>
<a class="sectref" rel="next" href="node103.html">7.1.3 Form Data</A>
</div>
<hr /></div>
</DIV>
<!--End of Navigation Panel-->

<H3><A NAME="SECTION009123000000000000000"></A><A NAME="hand-pub-alg-auth"></A>
<BR>
7.1.2.3 Authentication
</H3>

<P>
The publisher handler provides simple ways to control access to
modules and functions.

<P>
At every traversal step, the Publisher handler checks for presence of
<tt class="method">__auth__</tt> and <tt class="method">__access__</tt> attributes (in this order), as 
well as <tt class="method">__auth_realm__</tt> attribute. 

<P>
If <tt class="method">__auth__</tt> is found and it is callable, it will be called
with three arguments: the <tt class="class">Request</tt> object, a string containing
the user name and a string containing the password. If the return
value of
<code>__auth__</code> is false, then <tt class="constant">HTTP_UNAUTHORIZED</tt> is
returned to the client (which will usually cause a password dialog box
to appear).

<P>
If <tt class="method">__auth__</tt> is a dictionary, then the user name will be
matched against the key and the password against the value associated
with this key. If the key and password do not match, 
<tt class="constant">HTTP_UNAUTHORIZED</tt> is returned. Note that this requires
storing passwords as clear text in source code, which is not very secure.

<P>
<tt class="method">__auth__</tt> can also be a constant. In this case, if it is false
(i.e. <tt class="constant">None</tt>, <code>0</code>, <code>""</code>, etc.), then 
<tt class="constant">HTTP_UNAUTHORIZED</tt> is returned.

<P>
If there exists an <code>__auth_realm__</code> string, it will be sent
to the client as Authorization Realm (this is the text that usually
appears at the top of the password dialog box).

<P>
If <tt class="method">__access__</tt> is found and it is callable, it will be called
with two arguments: the <tt class="class">Request</tt> object and a string containing
the user name. If the return value of <code>__access__</code> is false, then
<tt class="constant">HTTP_FORBIDDEN</tt> is returned to the client.

<P>
If <tt class="method">__access__</tt> is a list, then the user name will be matched
against the list elements. If the user name is not in the list, 
<tt class="constant">HTTP_FORBIDDEN</tt> is returned.

<P>
Similarly to <tt class="method">__auth__</tt>, <tt class="method">__access__</tt> can be a constant.

<P>
In the example below, only user "<tt class="samp">eggs</tt>" with password "<tt class="samp">spam</tt>"can access the <code>hello</code> function:

<P>
<div class="verbatim"><pre>
  __auth_realm__ = "Members only"

  def __auth__(req, user, passwd):

      if user == "eggs" and passwd == "spam" or \
          user == "joe" and passwd == "eoj":
          return 1
      else:
          return 0

  def __access__(req, user):
      if user == "eggs":
          return 1
      else:
          return 0

  def hello(req):
      return "hello"
</pre></div>

<P>
Here is the same functionality, but using an alternative technique:

<P>
<div class="verbatim"><pre>
  __auth_realm__ = "Members only"
  __auth__ = {"eggs":"spam", "joe":"eoj"}
  __access__ = ["eggs"]

  def hello(req):
      return "hello"
</pre></div>

<P>
Since functions cannot be assigned attributes, to protect a function,
an <code>__auth__</code> or <code>__access__</code> function can be defined within
the function, e.g.:

<P>
<div class="verbatim"><pre>
  def sensitive(req):

      def __auth__(req, user, password):
          if user == 'spam' and password == 'eggs':
              # let them in
              return 1
          else:
              # no access
              return 0

      # something involving sensitive information
      return 'sensitive information`
</pre></div>

<P>
Note that this technique will also work if <code>__auth__</code> or
<code>__access__</code> is a constant, but will not work is they are
a dictionary or a list. 

<P>
The <code>__auth__</code> and <code>__access__</code> mechanisms exist
independently of the standard 
<em class="citetitle"><a
 href="dir-handlers-auh.html"
 title="PythonAuthenHandler"
 >PythonAuthenHandler</a></em>. It
is possible to use, for example, the handler to authenticate, then the
<code>__access__</code> list to verify that the authenticated user is
allowed to a particular function. 

<P>
<div class="note"><b class="label">Note:</b>
In order for mod_python to access <tt class="function">__auth__</tt>,
the module containing it must first be imported. Therefore, any
module-level code will get executed during the import even if
<tt class="function">__auth__</tt> is false.  To truly protect a module from
being accessed, use other authentication mechanisms, e.g. the Apache
<code>mod_auth</code> or with a mod_python <em class="citetitle"><a
 href="dir-handlers-auh.html"
 title="PythonAuthenHandler"
 >PythonAuthenHandler</a></em> handler.
</div>

<P>

<DIV CLASS="navigation">
<div class='online-navigation'>
<p></p><hr />
<table align="center" width="100%" cellpadding="0" cellspacing="2">
<tr>
<td class='online-navigation'><a rel="prev" title="7.1.2.2 Argument Matching and"
  href="hand-pub-alg-args.html"><img src='previous.png'
  border='0' height='32'  alt='Previous Page' width='32' /></A></td>
<td class='online-navigation'><a rel="parent" title="7.1.2 The Publishing Algorithm"
  href="hand-pub-alg.html"><img src='up.png'
  border='0' height='32'  alt='Up One Level' width='32' /></A></td>
<td class='online-navigation'><a rel="next" title="7.1.3 Form Data"
  href="node103.html"><img src='next.png'
  border='0' height='32'  alt='Next Page' width='32' /></A></td>
<td align="center" width="100%">Mod_python Manual</td>
<td class='online-navigation'><a rel="contents" title="Table of Contents"
  href="contents.html"><img src='contents.png'
  border='0' height='32'  alt='Contents' width='32' /></A></td>
<td class='online-navigation'><img src='blank.png'
  border='0' height='32'  alt='' width='32' /></td>
<td class='online-navigation'><a rel="index" title="Index"
  href="genindex.html"><img src='index.png'
  border='0' height='32'  alt='Index' width='32' /></A></td>
</tr></table>
<div class='online-navigation'>
<b class="navlabel">Previous:</b>
<a class="sectref" rel="prev" href="hand-pub-alg-args.html">7.1.2.2 Argument Matching and</A>
<b class="navlabel">Up:</b>
<a class="sectref" rel="parent" href="hand-pub-alg.html">7.1.2 The Publishing Algorithm</A>
<b class="navlabel">Next:</b>
<a class="sectref" rel="next" href="node103.html">7.1.3 Form Data</A>
</div>
</div>
<hr />
<span class="release-info">Release 3.3.1, documentation updated on January 29, 2007.</span>
</DIV>
<!--End of Navigation Panel-->

</BODY>
</HTML>