# 2024-02-14 Oddµ bug maybe
I had a site where an entire subdirectory was private. Nobody but the author could read or write those pages. I had configured Apache to require authentication for this subdirectory.
The config looked a bit like this:
```
AuthType Basic
AuthName "Password Required"
AuthUserFile /home/oddmu/.htpasswd
Require valid-user
```
Note the addition of `view/secret`.
But yesterday I realized that you can run a search in the root. Such a search includes all the pages in subdirectories, and so Oddmu served an extract of the pages in the "secret" subdirectory. Adding `|search/secret` to the `LocationMatch` doesn't help.
I had to decide whether to disable search all together, or disable the search of subdirectories, or add a new feature.
I added a new feature.
It is tied to an environment variable called `ODDMU_FILTER`. It matches the directory being searched and the directory where the search starts. If the directory doesn't match, the pages returned must also not match; if the directory does match, the pages returned must also match.
Here's an example of three pages:
* /a
* /public/b
* /secret/c
The environment variable is set: `ODDMU_FILTER=^secret/` – what happens now?
* If you search from the root (doesn't match the filter), then only pages a and b are searched (they also don't match the filter).
* If you search from /public (doesn't match the filter), then only page b is searched (also doesn't match the filter). This behaviour is unchanged from before. Searches start with the directory the user is looking at.
* If you search from /secret (matches the filter), then only page c is searched (also matches the filter). This, too, is unchanged from before.
Naturally, you still need to change to the web server config for the actual authentication to happen:
```
AuthType Basic
AuthName "Password Required"
AuthUserFile /home/oddmu/.htpasswd
Require valid-user
```
I hope I got it right! It's also documented in the oddmu-apache(5) man page.
=> oddmu/oddmu-apache.5 oddmu-apache(5)
#Oddµ