Recipe 6.27 Limiting Methods by User

Problem

You want to allow some users to use certain methods but prevent their use by others. For instance, you might want users in group A to be able to use both GET and POST but allow everyone else to use only GET.

Solution

Apply user authentication per method using the Limit directive:

AuthName "Restricted Access"
AuthType Basic
AuthUserFile filename
Order Deny,Allow
Allow from all
<Limit GET>
    Satisfy Any
</Limit>
<LimitExcept GET>
    Satisfy All
    Require valid-user
</Limit>

Discussion

It is often desirable to give general access to one or more HTTP methods, while restricting others. For example, while you may wish any user to be able to GET certain documents, you may wish for only site administrators to POST data back to those documents.

It is important to use the LimitExcept directive, rather than attempting to enumerate all possible methods, as you're likely to miss one.

See Also

• http://httpd.apache.org/docs/mod/mod_auth.html

• http://httpd.apache.org/docs/mod/mod_access.html

• http://httpd.apache.org/docs/mod/core.html#limit

• http://httpd.apache.org/docs/mod/core.html#limitexcept