On 28 Sep 2013, at 14:19, Eric Covener <cove...@gmail.com> wrote: > I've come back to this because I've struggled in another area with > access_checker vs. access_checker_ex. I really think we need basic access > control outside of Require and Satisfy. > > I have a copy of the "Forbidden" directive in mod_authz_core and I am > currrently allowing ON/OFF flags. > > * using a new directive means someone won't casually add "forbidden OFF" when > they think they're turnong on more access control with Require > * we can document that "forbidden OFF" is extreme from the start. > > I am on the fence about having an argument at all. My fear is that it will > evolve into a misguided FAQ of 'try forbidden OFF if you get a 403' then > we're right back to > > <Files .ht*> > Forbidden > </Files> > > ... > > <Location /> > ... > Require ldap-group cn=foo > Forbidden OFF > </location>
The second time in a few days, I'm going to suggest adding an optional parameter to a directive. Taking a leaf out of cascading stylesheets, how about “Forbidden On Level=Important” and perhaps “Forbidden On Level=Indelible”? (the idea being that the “Indelible” level can't be removed). This lets distributions ship a fairly safe default configuration but gives users enough scope to hang themselves. With this, “forbidden OFF” isn't so risky and “Forbidden Off Level=Important” can carry a health warning (and perhaps an ErrorLog warning as well). Too complex or worth having? What do people think? If there's appetite for it then I will have a go at providing a patch. -- Tim Bannister – is...@jellybaby.net
