htaccess password protect files with different users

Question

I have a files server and I use mod_autoindex to server the files. I have a username and password in htaccess so only certain people can access the files. I have added another user to htpasswd but I would only like that user to access some of the files/folders.

Here is my htaccess file now:

AuthType Basic
AuthName "restricted"
AuthUserFile E:\\path\\to\\.htpasswd

<Files "filesForAnyUser\\*">
  Require valid-user
</Files>

<Files "*">
Require user admin
</Files>

I'm sure I am doing something wrong but I can't find any good documentation on this.

ya that is a folder with files that should be available to any user — Tony Brix, Sep 26 '13 at 20:08
`E:\\path\\to\\.htpasswd` consider changing it to `E:/path/to/.htpasswd` using the opposite slash will save you some trouble in some specific situations. — Prix, Sep 26 '13 at 20:19

score 5 · Accepted Answer · answered Sep 26 '13 at 20:30

5

If you have a folder called "filesForAnyUser" and a folder where you have files only for admin, you need to make 2 htaccess files. One in "filesForAnyUser":

AuthType Basic
AuthName "restricted"
AuthUserFile E:\\path\\to\\.htpasswd
Require valid-user

And one in the other directory:

AuthType Basic
AuthName "restricted"
AuthUserFile E:\\path\\to\\.htpasswd
Require user admin

answered Sep 26 '13 at 20:30

Jon Lin

142,182
29
220
220

that worked but why doesn't the or directives work? – Tony Brix Sep 26 '13 at 20:38
@UziTech Both [Directory](http://httpd.apache.org/docs/current/mod/core.html#directory) and [Location](http://httpd.apache.org/docs/current/mod/core.html#location) have contexts of "server" and "virtualhost" config. **Not** "htaccess", so those directives can't be used in an htaccess file, which makes sense because putting an htaccess file in a directory is kind of like using a `` on that directory. – Jon Lin Sep 26 '13 at 20:46

Tony Brix · Answer 2 · 2017-03-28T15:24:58.137

So here is my final solution for anyone else.

Put the following in the root folder:

AuthType Basic
AuthName "restricted"
AuthUserFile E:\\path\\to\\.htpasswd
Require user admin

Put the following in any folder where admin and user1 can access the file:

AuthType Basic
AuthName "restricted"
AuthUserFile E:\\path\\to\\.htpasswd
Require user admin user1 #users separated by space or "Require valid-user" if all users

If you want to allow user1 to only access certain files you can use <FilesMatch>:

AuthType Basic
AuthName "restricted"
AuthUserFile E:\\path\\to\\.htpasswd
Require user admin
<FilesMatch "^(doc1.pdf|doc2.txt|doc3.docx)$">
  Require user admin user1 #or valid-user
</FilesMatch>

This gives admin access to all files in that folder but user1 only access to the files listed in <FilesMatch>

Note: The files in <FilesMatch> are for the current directory and any sub directory. I'm not sure how to limit it to only the current directory.

htaccess password protect files with different users

2 Answers2