On Wed, Oct 29, 2008 at 6:17 PM, Chris Darroch <[EMAIL PROTECTED]> wrote:
> The MergeAuthzRules directive is renamed SatisfySections and > take three possible values, Off, All, and And. The default is Off, > meaning that as directory configuration sections are merged, > new authz configurations replace previously merged ones. However, > a directory section may specify "SatisfySections All" to force > its predecessor's authz to be successful as well as its own. > The "SatisfySections Any" option permits either the predecessor > or current section's authz to grant the user access. Note that > the setting of SatisfySections continues to be local only to > the directory section it appears in; it is not inherited to > subsequent sections as they are merged. I tend to prefer something closer to the old name, especially with the Satisfy containers being optional. IOTW the "sections" here may not be something explicit the user can look back to. > > The default setting of SatisfySections is Off, corresponding to > traditional pre-2.4 authz logic. Within a directory section, > the default logic corresponds to an AND-like block (i.e., <SatisfyAll>), > which differs from the pre-2.4 logic whereby the first Require > statement to succeed authorized the request. Good to see the behavior default to being true to the verb. > > Legacy 2.2 configurations should, I hope, work with few or no > changes as a result of these revisions. Few administrators, I hope, > have configurations with multiple Require directives in a section; e.g.: > > <Directory /foo> > Require group shirt > Require group shoes > </Directory> More common migration breakage might be using two different authz providers there. > It also means that the following 2.4-style configuration makes > intuitive sense, because the negative Reject directive only has > meaning in an AND-like context: > > <Directory /foo> > Require group shirt > Reject user noshoes > </Directory> When do we need the negative satisfy containers? I'm having a hard time with this one, especially with how negating Require/Reject are interpreted inside -- it almost seems like the containers should be dictating the verbs and you should just have some more agnostic match-type operator with the authz providers. -- Eric Covener [EMAIL PROTECTED]
