I've just looked at authz. There's an IMO ugly hack whereby every authz provider has to run after authz_file and make a special case for file-group. It's repitition of identical code, and breaks modularity.
Wouldn't it be better for mod_authz_owner to be able to determine whether file-group is satisfied before returning, instead of faffing about with Notes and complicating the AuthAuthoritativeness logic? We could implement that using a file-group optional hook in mod_authz_owner. The normal authz_FOO modules can then implement the hook and properly preserve modularity. Any thoughts? -- Nick Kew