On Fri, Aug 2, 2013 at 8:24 PM, Mikhail T. mi+t...@aldan.algebra.com wrote:
The modules in your examples deliberately use the authz mechanism to
generate different output based on the results. But what is doing it in the
case I describe -- where the generated content is exactly the same?
Am Freitag, 2. August 2013, 23:05:09 schrieb Ben Reser:
If all of your authz/authn providers are using the CONF flag and
you're getting duplicated authz processing for subrequests that have
the same conf applied to them then it's possible there's a bug
here. I haven't ever specifically looked
Am Freitag, 2. August 2013, 11:21:56 schrieb Eric Covener:
I think this does not work for GET requests or request without a
request body.
Just re-read spec, you are right -- we are abusing this in a module
as a sort of extended handshake even w/ no body, but not against
heterogenous
03.08.2013 02:05, Ben Reser wrote:
You don't seriously expect the auth system to know all of those intricacies?
Let me take a step back here. What I found about my particular situation
is -- using your own term -- absurd:
1. The current behavior is not documented.
2. The current behavior is
On Sat, Aug 3, 2013 at 1:41 PM, Mikhail T. mi+t...@aldan.algebra.com wrote:
03.08.2013 02:05, Ben Reser wrote:
You don't seriously expect the auth system to know all of those intricacies?
Let me take a step back here. What I found about my particular situation is
-- using your own term --
03.08.2013 14:14, Eric Covener wrote:
I don't agree re: necessity. As Ben said, httpd only knows that /tiv
(where you tried to punch a hole) and the target of your Action
directive have different per-directory configurations, so
authorization is checked on the subrequest. It's erring on the
On Sat, Aug 3, 2013 at 11:34 AM, Mikhail T. mi+t...@aldan.algebra.com wrote:
Point is, it is erring. I asked Ben for possible use-cases and his two
examples were modules, which use the authorization rules to generate
different content depending on the result. Rather than to decide, whether to
On Sat, Aug 3, 2013 at 2:34 PM, Mikhail T. mi+t...@aldan.algebra.com wrote:
03.08.2013 14:14, Eric Covener wrote:
I don't agree re: necessity. As Ben said, httpd only knows that /tiv
(where you tried to punch a hole) and the target of your Action
directive have different per-directory
03.08.2013 15:19, Eric Covener ???(??):
I didn't interpret his response that way. Those are modules that will
create subrequests/internal redirects to new URIs that could have
separate authz applied to them from the original URI -- you can't
assume the server is any less interested in