Hello all,

Today I tried to limit access to phpMyAdmin using my own Authen.pm
module. It works well but not always. Looks like phpMyAdmin has
problems with HTTP post method if I enable my PerlAuthenHandler
Authen.pm. Otherwise phpMyAdmin and Authen.pm work well.

The error I get in phpMyAdmin is:
Fatal error: PMA_sendHeaderLocation called when headers are already
sent! in /opt/datajoy/www/lib/phpMyAdmin/libraries/common.lib.php on
line 650

I am not sure what causes this problem. It may be phpMyAdmin issue or
there is something wrong in my Authen.pm. But since my Authen.pm works
well when limiting access to directories/files and since I have no
problem with phpMyAdmin if I use .htaccess with password file
(AuthUserFile) I thought it might be mod_perl issue. Anyone else
noticed strange behaviour when using PerlAuthenHandler? It is the same
if I use PerlAccessHandler.

I hope someone can direct me where to look for solution.

Best regards,
Miha

Server software:
Apache/2.2.9 (Debian) PHP/5.2.6-5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.0
I also noticed this problem in older versions of Apache, perl, mod_perl and php.

Bellow are my Apache settings for phpMyAdmin dir and Authen.pm module:


PerlSendHeader Off
AuthName DatajoyWebAuth
AuthType Basic
PerlAuthenHandler Datajoy::Authen
require valid-user



package Datajoy::Authen;

use strict;
use Apache2::Access ();
use Apache2::RequestUtil ();
use Apache2::Const -compile => qw(OK DECLINED HTTP_UNAUTHORIZED);

use Datajoy::Application;
use Datajoy::Config;

sub Authenticate {
my ($domain,$user,$pass,$file)=@_;
my $result=0;

my $app=Datajoy::Application->new();
$app->Db_Connect;

my $sth=$app->{dbh}->prepare("select users.org_id, users.id, pages.path
from domains,users,pages
where domains.page_id=pages.id and users.org_id=domains.org_id
and domains.domain=? and users.username=?");
$sth->execute($domain,$user);
my ($org_id,$user_id,$domain_path)=$sth->fetchrow_array;

if ($org_id && $user_id) {
my $auth=undef;
eval '$auth='.$app->{config}->{auth_module}.'->new($app)';
if (! $@) {
my ($logged_in,$uref)=$auth->Login($org_id,$user,$pass);
if ($logged_in>0) {
$result=1;
}
}
}

return $result;
}

sub handler {
my $r=shift;

my ($status,$pass)=$r->get_basic_auth_pw;

return $status unless $status == Apache2::Const::OK;

my $domain=$r->hostname();
my $user=$r->user;
my $file=$r->filename();

if (Authenticate($domain,$user,$pass,$file)) {
return Apache2::Const::OK;
} else {
$r->note_basic_auth_failure;
return Apache2::Const::HTTP_UNAUTHORIZED;
}

}

1;