httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Eric Covener <cove...@gmail.com>
Subject Re: Resolved (sort of): Struggling with AuthMerging
Date Sat, 03 Aug 2013 19:19:46 GMT
On Sat, Aug 3, 2013 at 2:34 PM, Mikhail T. <mi+thun@aldan.algebra.com> wrote:
> 03.08.2013 14:14, Eric Covener wrote:
>
> I don't agree re: necessity. As Ben said, httpd only knows that /tiv
> (where you tried to punch a hole) and the target of your Action
> directive have different per-directory configurations, so
> authorization is checked on the subrequest.   It's erring on the side
> of running authz checks, and I don't disagree that it could be
> enhanced/optimized.
>
> Point is, it is erring. I asked Ben for possible use-cases and his two
> examples were modules, which use the authorization rules to generate
> different content depending on the result. Rather than to decide, whether to
> authorize the request at all.

I didn't interpret his response that way. Those are modules that will
create subrequests/internal redirects to new URIs that could have
separate authz applied to them from the original URI --  you can't
assume the server is any less interested in performing authz on them.

Consider something as basic as (per-directory) mod_rewrite or
mod_include.  The server can't tell the difference between that and
your mod_actions internal redirect to a new URI -- they need to be
checked.

Mime
View raw message