0

So I have a development site setup running Drupal. I've locked the site down with basic HTTPAuth + htpasswd to keep out baddies.

The problem is that a single node, a webform, needs to be accessible on this dev site from the live site.

My question is: because of Drupal's convoluted bootstrapping process how would I go about allowing access to only this single file/URL?

My vhost config for htpasswd:

<Directory />
   AuthUserFile /var/www/.htpasswd
   AuthName "my radbad dev site"
   AuthType Basic
   Require valid-user
</Directory>

I've tried something like the following without success:

<Location "/node/1334">
   Allow from all
   Satisfy any
</Location>
imgrgry
  • 628
  • 1
  • 5
  • 11

3 Answers3

3

You can't do it like that, because the webform isn't a file, it's dynamically generated from info you gave Drupal (which it put in the DB). All Drupal URIs (apart from your uploaded files) are index.php sending you to the right place. There's no way to tell httpauth that sometimes index.php may be accessed freely and sometimes it requires auth.

There are several options for controlling access via a Drupal module, or (if your live site is Drupal) you could just give it the same webform, but no amount of tweaking around with httpauth will solve your problem.

HedgeMage
  • 145
  • 7
  • Yeah, makes sense. Unfortunately the form can't be on the live site for moderation purposes (the site was poorly designed). Will probably look into an ACL module. – imgrgry Feb 02 '11 at 17:03
  • ACL is great, but keep in mind that it's just an API. You still need node_access or one of the many alternatives to actually provide a UI that does something. :) – HedgeMage Feb 02 '11 at 17:28
0

<Location>-directives are applied after .htaccess is processed. This means, mod_rewrite already did its thing an the URL is now /index.php?q=node/1334. This is bad, because <Location> cannot be used for configurations based on the query string. See <Location> directive and How the sections are merged for details.

You will have to come up with a totally different solution, like making the Drupal database available under some other URL, that is not accessible from outside.

Oswald
  • 31,254
  • 3
  • 43
  • 68
  • The webform isn't *in* the Drupal database. It's constructed *from* information in the database by webform module. Unless one wants to go to the work of creating a special standalone webapp to grab webform data and exactly reproduce the function of webform module outside of Drupal (waste of effort when a new Drupal site is on its way anyway), that DB won't get you a usable form. – HedgeMage Feb 02 '11 at 17:29
  • @HedgeMage Setting up an additional Drupal installation certainly is an option. I left that for gigantorTRON to decide. I merely pointed out why his solution cannot work. If you think this is worth a downvote ... go ahead. – Oswald Feb 02 '11 at 18:22
  • *That* makes perfect sense, but it wasn't clear in your answer...removing downvote and editing. – HedgeMage Feb 02 '11 at 19:08
0

If you want to go the HTTP authentication route, consider the Secure Site module instead of editing .htaccess and creating a .htpasswd file. That's an error-prone process, while Secure Site gives you a form which you can use to type in a path you want excluded from securing. Even better, it uses the Drupal authentication system, so you can deny/allow people to the site based on Drupal roles and permissions.

sillygwailo
  • 2,007
  • 16
  • 13