Hi --
This is all fairly simple, I think, especially if
MatchNotAny/RequireNone is removed as well so that Require retains its
apparent meaning everywhere. See if the patch below meets your
expectations; if so, I'll commit it and update the docs.
Sorry, here's a slightly updated one without any whitespace issues;
it should apply cleanly against the latest SVN trunk as of a few
minutes ago.
Chris.
=========================================================
--- modules/aaa/mod_authz_core.c (revision 724813)
+++ modules/aaa/mod_authz_core.c (working copy)
@@ -52,17 +52,19 @@
#define FORMAT_AUTHZ_COMMAND(p,section) \
((section)->provider \
- ? apr_pstrcat((p), \
+ ? apr_pstrcat((p), "Require ", \
((section)->negate ? \
- "Match not " : "Match "), \
+ "not " : ""), \
(section)->provider_name, " ", \
(section)->provider_args, NULL) \
- : apr_pstrcat((p), "<Match", \
+ : apr_pstrcat((p), "<Require", \
((section)->negate ? "Not" : ""), \
(((section)->op == AUTHZ_LOGIC_AND) \
? "All" : "Any"), \
">", NULL))
+#undef AUTHZ_NEGATIVE_CONFIGS
+
typedef struct provider_alias_rec {
char *provider_name;
char *provider_alias;
@@ -95,7 +97,6 @@
struct authz_core_dir_conf {
authz_section_conf *section;
authz_logic_op op;
- int old_require;
authz_core_dir_conf *next;
};
@@ -314,12 +315,11 @@
return errmsg;
}
-static authz_section_conf* create_default_section(apr_pool_t *p,
- int old_require)
+static authz_section_conf* create_default_section(apr_pool_t *p)
{
authz_section_conf *section = apr_pcalloc(p, sizeof(*section));
- section->op = old_require ? AUTHZ_LOGIC_OR : AUTHZ_LOGIC_AND;
+ section->op = AUTHZ_LOGIC_OR;
return section;
}
@@ -331,21 +331,9 @@
authz_section_conf *section = apr_pcalloc(cmd->pool, sizeof(*section));
authz_section_conf *child;
- if (!strcasecmp(cmd->cmd->name, "Require")) {
- if (conf->section && !conf->old_require) {
- return "Require directive not allowed with "
- "Match and related directives";
- }
-
- conf->old_require = 1;
- }
- else if (conf->old_require) {
- return "Match directive not allowed with Require directives";
- }
-
section->provider_name = ap_getword_conf(cmd->pool, &args);
- if (!conf->old_require && !strcasecmp(section->provider_name, "not")) {
+ if (!strcasecmp(section->provider_name, "not")) {
section->provider_name = ap_getword_conf(cmd->pool, &args);
section->negate = 1;
}
@@ -377,7 +365,7 @@
section->limited = cmd->limited;
if (!conf->section) {
- conf->section = create_default_section(cmd->pool, conf->old_require);
+ conf->section = create_default_section(cmd->pool);
}
if (section->negate && conf->section->op == AUTHZ_LOGIC_OR) {
@@ -416,12 +404,6 @@
apr_int64_t old_limited = cmd->limited;
const char *errmsg;
- if (conf->old_require) {
- return apr_pstrcat(cmd->pool, cmd->cmd->name,
- "> directive not allowed with "
- "Require directives", NULL);
- }
-
if (endp == NULL) {
return apr_pstrcat(cmd->pool, cmd->cmd->name,
"> directive missing closing '>'", NULL);
@@ -437,13 +419,14 @@
section = apr_pcalloc(cmd->pool, sizeof(*section));
- if (!strcasecmp(cmd->cmd->name, "<MatchAll")) {
+ if (!strcasecmp(cmd->cmd->name, "<RequireAll")) {
section->op = AUTHZ_LOGIC_AND;
}
- else if (!strcasecmp(cmd->cmd->name, "<MatchAny")) {
+ else if (!strcasecmp(cmd->cmd->name, "<RequireAny")) {
section->op = AUTHZ_LOGIC_OR;
}
- else if (!strcasecmp(cmd->cmd->name, "<MatchNotAll")) {
+#ifdef AUTHZ_NEGATIVE_CONFIGS
+ else if (!strcasecmp(cmd->cmd->name, "<RequireNotAll")) {
section->op = AUTHZ_LOGIC_AND;
section->negate = 1;
}
@@ -451,6 +434,7 @@
section->op = AUTHZ_LOGIC_OR;
section->negate = 1;
}
+#endif
conf->section = section;
@@ -473,7 +457,7 @@
authz_section_conf *child;
if (!old_section) {
- old_section = conf->section = create_default_section(cmd->pool, 0);
+ old_section = conf->section = create_default_section(cmd->pool);
}
if (section->negate && old_section->op == AUTHZ_LOGIC_OR) {
@@ -521,15 +505,15 @@
if (!strcasecmp(arg, "Off")) {
conf->op = AUTHZ_LOGIC_OFF;
}
- else if (!strcasecmp(arg, "MatchAll")) {
+ else if (!strcasecmp(arg, "And")) {
conf->op = AUTHZ_LOGIC_AND;
}
- else if (!strcasecmp(arg, "MatchAny")) {
+ else if (!strcasecmp(arg, "Or")) {
conf->op = AUTHZ_LOGIC_OR;
}
else {
return apr_pstrcat(cmd->pool, cmd->cmd->name, " must be one of: "
- "Off | MatchAll | MatchAny", NULL);
+ "Off | And | Or", NULL);
}
return NULL;
@@ -612,7 +596,7 @@
authz_core_dir_conf *conf = authz_core_first_dir_conf;
while (conf) {
- if (conf->section && !conf->old_require) {
+ if (conf->section) {
if (authz_core_check_section(p, s, conf->section, 1) != OK) {
return !OK;
}
@@ -631,29 +615,27 @@
"container for grouping an authorization provider's "
"directives under a provider alias"),
AP_INIT_RAW_ARGS("Require", add_authz_provider, NULL, OR_AUTHCFG,
- "specifies legacy authorization directives "
- "of which one must pass "
- "for a request to suceeed"),
- AP_INIT_RAW_ARGS("Match", add_authz_provider, NULL, OR_AUTHCFG,
- "specifies authorization directives that must pass "
- "(or not) for a request to suceeed"),
- AP_INIT_RAW_ARGS("<MatchAll", add_authz_section, NULL, OR_AUTHCFG,
+ "specifies authorization directives "
+ "which one must pass (or not) for a request to suceeed"),
+ AP_INIT_RAW_ARGS("<RequireAll", add_authz_section, NULL, OR_AUTHCFG,
"container for grouping authorization directives "
"of which none must fail and at least one must pass "
"for a request to succeed"),
- AP_INIT_RAW_ARGS("<MatchAny", add_authz_section, NULL, OR_AUTHCFG,
+ AP_INIT_RAW_ARGS("<RequireAny", add_authz_section, NULL, OR_AUTHCFG,
"container for grouping authorization directives "
"of which one must pass "
"for a request to succeed"),
- AP_INIT_RAW_ARGS("<MatchNotAll", add_authz_section, NULL, OR_AUTHCFG,
+#ifdef AUTHZ_NEGATIVE_CONFIGS
+ AP_INIT_RAW_ARGS("<RequireNotAll", add_authz_section, NULL, OR_AUTHCFG,
"container for grouping authorization directives "
"of which some must fail or none must pass "
"for a request to succeed"),
- AP_INIT_RAW_ARGS("<MatchNotAny", add_authz_section, NULL, OR_AUTHCFG,
+ AP_INIT_RAW_ARGS("<RequireNotAny", add_authz_section, NULL, OR_AUTHCFG,
"container for grouping authorization directives "
"of which none must pass "
"for a request to succeed"),
- AP_INIT_TAKE1("MergeAuthz", authz_merge_sections, NULL, OR_AUTHCFG,
+#endif
+ AP_INIT_TAKE1("AuthMerging", authz_merge_sections, NULL, OR_AUTHCFG,
"controls how a <Directory>, <Location>, or similar "
"directive's authorization directives are combined with "
"those of its predecessor"),
