httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dan Poirier <poir...@pobox.com>
Subject Re: AuthzMergeRules blocks everything in default configuration
Date Thu, 30 Oct 2008 12:59:17 GMT
Chris Darroch said the following on 10/29/2008 10:35 PM:
> <Directory /humans_and_friendlies_only>
>  Require valid-user
>  <SatisfyNotAll>
>    Require group alien
>    <SatisfyAny>
>      Require group hostile
>      Require group neutral
>      Require group noninterventionist
>    </SatisfyAny>
>  </SatisfyNotAll>
> </Directory>

I wonder if we have to stick with building up complicated authorization 
expressions by nesting many different directives.

I'd find it much easier to understand if we had fewer directives, and 
just built up the more complicated ideas by writing boolean expressions, 
which most of us already know how to cope with.

I'm picturing something like this:

<Directory /humans_only>
AuthorizeIf valid-user AND member-of-group human
</Directory>


Maybe with some syntactic sugar to help break things down into 
understandable chunks:


DefineAuthorization friendly NOT (member-of-group hostile OR 
member-of-group neutral OR member-of-group noninterventionist)

DefineAuthorization human NOT (member-of-group alien)

<Directory /humans_and_friendlies_only>
AuthorizeIf valid-user AND (human OR friendly)
</Directory>


We could add a few more pre-defined primitives that could be used in 
expressions, such as

# Inherit parent authorization, and add another condition
AuthorizeIf authorized-in-parent AND member-of-group vips

# Grant access to all
AuthorizeIf true


Granted, this is very different from the syntax in 2.2 configurations, 
so migration would have to be considered.  But it might be worthwhile if 
something like this reduced confusion and questions on the lists.

Dan

Mime
View raw message