[EMAIL PROTECTED] wrote: > > While doing this patch (and ending up with 3 very small modules); I found > the following legacy behaviour. Any feels as to if we shall kill these > surprizing behaviourisms in 2.0 or stay as close to 1.3 as possibe ?: > > -> if there are no requires - but there is Auth happening > we actively OK. > > -> If there are no requires for the method (but there are > requires for that directory for other methods) > we actively OK. > > -> If we have for example a (Group,..)File but opening it failes > then we ignore any 'require group' and DECLINE to other modules.
I don't find those surprising at all; they're what I would expect. > Proposal to fixing these leaks (comment now or wait for code) and allowing > small footprint modules to take part of the process over: > > -> mod_auth_file > auth UserID/passwd against file > DECLINE if no file configured If not file configured, but Require present, UNAUTH (or 500) if authoritative; otherwise DECLINE. > ERROR if file read error (was DECLINE/UNAUTH) No, UNAUTH if authoritative, DECLINE otherwise. The client should NOT be told there is a config error. Log the problem. > -> mod_auth_groupfile > checks UserID against required 'require (valid-)group' > DECLINE if no requirements at all (was OK) > DECLINE if no group file configurued No, similar to above. > ERROR if file read error (was IGNORE) UNAUTH. DON'T tell the user there's anything except a Boolean auth failure. Et cetera. -- #ken P-)} Ken Coar, Sanagendamgagwedweinini http://Golux.Com/coar/ Author, developer, opinionist http://Apache-Server.Com/ "Millennium hand and shrimp!"
