Mac OS X Server Tip: Enable user avatars for Apple WikiServer without enabling User Weblogs

Today I had the opportunity to toy around with more of Apple’s WikiServer (aka “Teams Server) intranet-building suite of applications. I already gave the wiki feature a pretty thorough treatment, so this time I set my sights on a simple user-specific (as opposed to group-specific) feature.

In my office of approximately twenty-some-odd employees, we’ve just begun using the groups’ blog feature to replace all-staff emails for interesting items that are not business related. This has actually been a huge boon for several reasons, not least of which is the productivity boost we can enjoy thanks to moving from a push system (relatively annoying, if occasionally interesting emails) to a pull system (web browsing, RSS feeds, all generated from the Apple WikiServer group blog). Out of the box, only one feature was missing from the group blog: user profile pictures (“avatars”).

If you only turn on the group wikis and blogs features in Apple’s WikiServer, you’ll find that whenever someone posts a comment to a wiki page or a blog post, a generic profile picture will appear next to their comment. If you give that person’s user account a profile picture in Workgroup Manager, you’ll see that generic profile icon turn into a broken question mark. It turns out that this is because the user profile pictures are served by a completely different web service than the group’s wiki and blog is served so if that server isn’t running none of these images will be served up to the browser.

Fixing that is simple enough: simply turn on the appropriate server—the User Weblog server—by opening Server Admin, navigating to the Web Service settings, and enabling the “Blogs” service for users under your web site, then clicking save. For the default web site (*), all that checkbox technically does is remove the comment in the /etc/apache2/sites/0000_any_80_.conf file that reads:

#        Include /etc/apache2/httpd_users.conf

The /etc/apache2/httpd_users.conf file enables the use of your web site’s /users URL paths. In practice, this means that you’ve now allowed anyone with a user account in your Open Directory database to create a new hosted, personal weblog on your server. This may be what you want, but it wasn’t what I wanted—all I wanted was user profile pictures on the groups features.

As it happens, everything behind the /users URL is actually a completely different web server (really an instance of Twisted Python) that’s accessed via a ProxyPass directive. This turns out to be really handy, because it means we can intercept requests for these URLs and redirect them before they ever get to the Twisted “User Weblog” server.

By examining the source of the wiki page on which a user’s profile picture icon appears, we can see that the URL path to the user’s image is retrieved by accessing a URL that looks like /users/username/icon.jpg (where username is the user’s full Unix username). So, with the following lines of Apache RewriteRule magic, we can enable only the serving of these user profile avatars but not let users create their own personal blogs:

#### We are ONLY using the /etc/apache2/httpd_users.conf file to
#### enable per-user avatar icons sourced from our OpenDirectory
#### user database. So to avoid the messy instance where people
#### create their own blogs we will redirect anything except the
#### image icons themselves to a 403 Forbidden error page.
<IfModule mod_rewrite.c>
        RewriteEngine On
        RewriteCond %{REQUEST_URI} ^/users
        RewriteRule !^/users/[A-Za-z]+/icon.jpg [F,L]

The magic happens in the lines that begin with RewriteCond and RewriteRule. The RewriteCond rule examines the incoming URI and only continues processing if it begins with “/users”. That’s important because the next line, the RewriteRule returns a 403 Forbidden error for any and all requests that do not match a URI that starts out like /users/username/icon.jpg. In other words, without the RewriteCond directive, the entire web site would only be able to serve user profile pictures, and without the RewriteRule, all the URLs of the User Weblog server would be available (such as those to create new personal weblogs).

With both in place, however, I can get exactly what I want out of the Weblog Server. No more and no less.

3 replies on “Mac OS X Server Tip: Enable user avatars for Apple WikiServer without enabling User Weblogs”

  1. That’s exactly what I was looking for!

    But tell me please: where do I have to put these few lines of your “RewriteRule Magic”?

    Thanks so much for an answer!


  2. Hello

    I know it’s an old post, but I just wanted to say thanks and that the fix works great – even just for those wondering why the Pictures don’t work!

    The ‘Rewrite’ lines of code work when placed in /etc/apache2/httpd_users.conf and then Blogs enabled via Server Prefs or Server Admin. I had to assume this was how ito set it up so I’ll write it down for anyone else who strolls by :)

    Additionally after some quick experimentation I found a slightly ‘nicer’ rule was to use:

    RewriteRule !^/users/[A-Za-z]+/icon.jpg groups [R]

    This way, instead of getting an error message (I got HTTP Err 400) when accessing server.ext/users , it will simply redirect to server.ext/groups, kicking you back to the Wiki list.

    Both problem and your solution are working on Snow Leopard 10.6.2 :)

Comments are closed.