2024-02-14 Oddµ bug maybe

I had a site where an entire subdirectory was private. Nobody but the author could read or write those pages. I had configured Apache to require authentication for this subdirectory.

The config looked a bit like this:

Note the addition of `view/secret`.

But yesterday I realized that you can run a search in the root. Such a search includes all the pages in subdirectories, and so Oddmu served an extract of the pages in the "secret" subdirectory. Adding `|search/secret` to the `LocationMatch` doesn't help.

I had to decide whether to disable search all together, or disable the search of subdirectories, or add a new feature.

I added a new feature.

It is tied to an environment variable called `ODDMU_FILTER`. It matches the directory being searched and the directory where the search starts. If the directory doesn't match, the pages returned must also not match; if the directory does match, the pages returned must also match.

Here's an example of three pages:

/a

/public/b

/secret/c

The environment variable is set: `ODDMU_FILTER=^secret/` – what happens now?

If you search from the root (doesn't match the filter), then only pages a and b are searched (they also don't match the filter).

If you search from /public (doesn't match the filter), then only page b is searched (also doesn't match the filter). This behaviour is unchanged from before. Searches start with the directory the user is looking at.

If you search from /secret (matches the filter), then only page c is searched (also matches the filter). This, too, is unchanged from before.

Naturally, you still need to change to the web server config for the actual authentication to happen:

I hope I got it right! It's also documented in the oddmu-apache(5) man page.

oddmu-apache(5)

​#Oddµ