At 08:25 AM 5/28/2002, Francis Daly wrote: >This is a repost of a patch sent in the thread "An unusual request" >about a week ago. > >Between 1.3 and 2.0, the behaviour of mod_autoindex changed such that >URLs for which the requester was not (yet) authorized did not appear >in the generated listings. This patch allows the administrator >configure, on a per-directory basis, whether or not to show the names >of the authorization-requiring resources in that directory.
And the list generally agreed that the right fix is to configure a list of HTTP result codes that the administrator will allow to be listed, rather than the toggle you proposed. But I haven't had time to hack together an illustration, anyone who wants to is welcome to take a stab at it. >This patch introduces a config option which changes the >behaviour of Options +Indexes. It potentially exposes names of >authentication-requiring URLs to unauthenticated users. I've called >the option "IndexOptions RevealSecretURL" to make sure that it isn't >unintentionally enabled. It defaults to not set, which leaves behaviour >as it currently is. > >It introduces a fake filename "^^UNAUTHORIZED^^" which can be used by >AddIcon and AddAlt to enhance the display if IndexOptions FancyIndexing >is also set, mirroring ^^DIRECTORY^^ and ^^BLANKICON^^. An UNAUTHORIZED >DIRECTORY will appear UNAUTHORIZED, falling back to DefaultIcon. That >could be changed to appear DIRECTORY by adding a filetype check just >before setting the string ^^UNAUTHORIZED^^. Very slick... I see lock icons popping up on my own sites really soon :-) >It explicitly hides the file size and modification time of unauthorized >resources. This differs from the behaviour of 1.3. Code already in >find_title() ensures that IndexOptions ScanHTMLTitles won't reveal any >content. I'm asking myself what it matters? If they want to include these resources in the file list, why do we care that they show up without size/time stamps? I suspect that working around this is overkill.
