On Oct 1, 2007, at 11:14 AM, Nick Kew wrote:
On Mon, 01 Oct 2007 16:43:57 +0200
Ruediger Pluem <[EMAIL PROTECTED]> wrote:
On 10/01/2007 03:30 PM, Joshua Slive wrote:
On 10/1/07, Jim Jagielski <[EMAIL PROTECTED]> wrote:
[summary of everyone]
No problem.
OK, it's actually applying the permissions of DocumentRoot.
It's also ignoring the permissions on <Location />
So my report was wrong, but we still have a bug:
we shouldn't be mapping OPTIONS * to the filesystem.
TRACE also does not/should not trace to the filesystem.
So, I think what we should do is use the existing
architecture and have a quick_handler that checks for
the OPTIONS * case and, if so, return DONE.
I am not sure, to be honest, what we should do for
OPTIONS /foo if /foo is a protected entity... Reading
9.2: "communication options available on the request/response
chain... without implying a resource action or initiating a
resource retrieval" implies to me that ACL shouldn't even
enter into it and should never return a 403... Which
also implies that we should not honor any Limit for
Options either...
Before I work on the fix (http://issues.apache.org/bugzilla/
attachment.cgi?id=20902
seems just plain wrong to me), I'd like to see what
Roy thinks about the above compliance points...
