I have just committed a complete rewrite of Secure Site to HEAD. The new version should be much easier to maintain, and to improve with features such as digest authentication. I had two goals:

  • Drastically simplify the logic to reduce the number of places bugs can hide.
  • Remove features, such path-based access control, that duplicate features in Drupal core.

As a side effect of the simplified logic, HTTP authentication can be enabled even when the site is not being hidden. Path-based access control has been replaced with access denied detection. Both of these changes duplicate the features of the HTTP Auth module. However, the HTTP Auth module was created because of the poor design of Secure Site, so these changes were long overdue.

Comments

Junyor’s picture

I like the direction the module is going. It makes sense to remove the path-based stuff and do something on 403s instead. Good idea. The way the new module is coded also improves testability. I'll work on porting the unit tests from the DRUPAL-6--1 branch to HEAD so we can get testing.

I did notice an odd loophole. If I have Secure Site set to Always with HTTP Auth, send an unprivileged user's credentials, then hit ESC, I get the password reset dialog with a note about an invalid user. However, reloading the page then shows the normal site, though.

I'm wondering if it makes sense to have the permission at all. Shouldn't it just apply to all authenticated users? Guest mode works for anonymous users. How to handle things when you get a 403 for an authenticated user is unclear.

Darren Oh’s picture

Loophole closed in CVS commit 144824. 403s for authenticated users revert to the 403 page in Drupal's error message settings.

Darren Oh’s picture

Status: Active » Fixed

Version 6.x-2.0 has been released.

Anonymous’s picture

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for two weeks with no activity.

  • Commit 4327747 on 6.x-2.x, 7.x-2.x, master, 8.x-1.x by Darren Oh:
    #310906: Fixed authenticated user permission. Users who did not have...
  • Commit c3b2a00 on 6.x-2.x, 7.x-2.x, master, 8.x-1.x by Darren Oh:
    #310906: More logic improvements. Added support for multiple...