>Number: 735 >Category: mod_auth-any >Synopsis: require user/require group step on each other >Confidential: no >Severity: non-critical >Priority: medium >Responsible: apache (Apache HTTP Project) >State: open >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Fri Jun 13 08:40:00 1997 >Originator: [EMAIL PROTECTED] >Organization: apache >Release: 1.2 >Environment: SunOS spaten 5.5.1 Generic_103640-03 sun4m sparc SUNW,SPARCstation-20 built with gcc 2.7.2.1 >Description: Not sure if this is a bug or a feature - in trying to set up require's to limit access, one finds that "require user" and "require group" step on each other in a non-intuitive (for me) way. For example, one might expect that:
require user davidb require group foo would allow the user davidb in and anybody in group foo in. However, davidb is denied access unless he is a member of foo. Thus, it appears that "require user" directives are ignored if a "require group" directive exists. >How-To-Repeat: See above. >Fix: Logically, I would prefer that the requires be done as the union of all possibilities. Otherwise, it seems to make sense that the user should override group. At the very least, the documentation might state that fact. Great work on the server - please keep it up%2 >Audit-Trail: >Unformatted:
