Hi,
I have a rather special problem. We have an installer that relies on a wget to a protected page on my Drupal site for authentication. The wget goes something like this:
wget -q --post-data 'name=$username&pass=$password&form_id=user_login_block' http://mysite.company.com/dl/installers -O - > /dev/null
So the wget supplies a username and password. If the user with that name and password is able to reach the /dl/installers page, then a 200 OK is returned, and the user is authenticated. Otherwise a 403 forbidden is returned, and the user is denied access to install the program. To be successful, the username/pw must belong to a user with the role "partner" (or above).
Now this worked nicely until I installed Authcache (with File Cache). Even when I specify that pages should not be cached for users with role=Partner (and then flush everything imaginable), it does not work.
Disabling Authcache and running with File Cache alone, it does work.
I know that this is a specialized situation, but could it be a hint that something isn't working right?
I must admit I can't really see through it all at that level. I just know that I'd like to have Authcache running again..!
Comments
Comment #1
znerol CreditAttribution: znerol commentedAuthcache should not store / serve cached pages when there is POST data present on the request. This check for POST-data is implemented at two locations:
In authcache.inc, line 63. Here we ensure that there is no POST data on the request before attempting to return a cached version of the page:
In authcache.helpers.inc, line 34. At this spot it is decided whether the result of the current page request can be stored in the cache:
Those two spot is where you should place your breakpoints to debug the problem.
If you are not into analyzing this problem, you also may try to just exclude the installer-path by adding it to a page caching rule in
admin/config/development/performance/authcache/pagecaching
.Comment #2
DeNelo CreditAttribution: DeNelo commentedThank you, I will look into that!
Comment #3
DeNelo CreditAttribution: DeNelo commentedHmm, I'm sorry to say that excluding the installer page did not help. I re-enabled Authcache, added the installer page as an exception (even adding the real path (node/xx) for good measure), saved and cleared, cleared every cache, and ran the wget command. It came out with a 403 every time.
The page does not have to be served from the cache; I'm only testing for access to the page. And somehow Authcache doesn't let me.
Comment #4
znerol CreditAttribution: znerol commentedPlease run
wget
with the-S
flag such that response headers are written to stderr. Then examine the output for the header "X-Drupal-Cache" header. When the page was properly excluded from the cache that header should be missing.Comment #5
simg CreditAttribution: simg commentedComment #6
DeNelo CreditAttribution: DeNelo commentedSorry for being so long.
With Authcache disabled, the header says, "X-Drupal-Cache: MISS"
Authcache enabled: There is no X-Drupal-Cache, but I get the ERROR 403: Forbidden. Slightly edited output below:
Stumped, I am.
Comment #7
DeNelo CreditAttribution: DeNelo commentedI've now disabled caching entirely for those roles that should have access to downloading the installers. That seemed to do the trick. Strange, because I tried that before.
The trouble is of course that roughly half our users have one of those roles...
Comment #8
znerol CreditAttribution: znerol commentedOk, the log you posted clearly indicates that authcache does not attempt to serve a previously cached "access denied" page.
In order to proceed I would like to know some more details about
dl/installers
. Is this page implemented using a custom module or do you use some contrib project in order to restrict access to that page?Comment #9
DeNelo CreditAttribution: DeNelo commentedAccess to the dl/installers page is restriced to users having certain roles, using the Content Access module.
"Per content node access control" is enabled for the content type in question (called "download"), but no additional users have been given access to the dl/installers page.
Comment #10
znerol CreditAttribution: znerol commented