On Tue, May 28, 2002 at 09:19:33AM -0500, William A. Rowe, Jr. wrote:
> At 08:25 AM 5/28/2002, Francis Daly wrote:
> >
> >Between 1.3 and 2.0, the behaviour of mod_autoindex changed such that
> >URLs for which the requester was not (yet) authorized did not appear
> >in the generated listings. This patch allows the administrator
> >configure, on a per-directory basis, whether or not to show the names
> >of the authorization-requiring resources in that directory.
>
> And the list generally agreed that the right fix is to configure a list
> of HTTP result codes that the administrator will allow to be listed,
> rather than the toggle you proposed.
Ah right, I'd missed that bit of the discussion. I saw the
"IndexResults" suggestion, but hadn't noticed that it might be useful
to allow, for example, statuses 402 or 41[1-4] too.
No harm done.
> >It introduces a fake filename "^^UNAUTHORIZED^^" which can be used by
> >AddIcon and AddAlt to enhance the display if IndexOptions FancyIndexing
> >is also set, mirroring ^^DIRECTORY^^ and ^^BLANKICON^^. An UNAUTHORIZED
> >DIRECTORY will appear UNAUTHORIZED, falling back to DefaultIcon. That
> >could be changed to appear DIRECTORY by adding a filetype check just
> >before setting the string ^^UNAUTHORIZED^^.
>
> Very slick... I see lock icons popping up on my own sites really soon :-)
All the real work was done by whoever coded for ^^DIRECTORY^^ and
^^BLANKICON^^ -- once I was fiddling rr->filename, that bit came as a
freebie. But it's a nice one.
> >It explicitly hides the file size and modification time of unauthorized
> >resources. This differs from the behaviour of 1.3. Code already in
> >find_title() ensures that IndexOptions ScanHTMLTitles won't reveal any
> >content.
>
> I'm asking myself what it matters? If they want to include these resources
> in the file list, why do we care that they show up without size/time stamps?
> I suspect that working around this is overkill.
My take would be that advertising the name of the resource will allow
someone with the right credentials to follow links to get the full
information; someone without the credentials doesn't need to know anything
extra. If they really want to know, they can HEAD with the right
username:password and be happy. It's a slightly more open
interpretation of the "reveal nothing" philosophy that removed
400-series statuses from the listing in the first place, without quite
being "reveal lots and lots"
The final call is up to the person doing the committing, of course.
All the best,
f
--
Francis Daly [EMAIL PROTECTED]
