--On Sunday, December 8, 2002 3:16 PM +0100 Andr� Malo <[EMAIL PROTECTED]>
wrote:
while cleaning up the 2.1 auth docs, some things bubbled up, that
are worth to patch, imho :) If all patches are applied, applying
them in the described order should work. But before a general
question: What's the reason, that Auth*Provider cannot be
determined in .htaccess files? The worst case would be a 500,
similar to the usage of AuthDBM* directives, if no mod_authn_dbm
is configured, so I see no problem in .htaccess-allowed *Provider
directives.
We did allow this before, right? Yeah, I guess it might make sense
to switch the directives to OR_LIMIT. Patches? =)
- yesno.diff
there is some confusion with "yes" and "no" and "on" and "off"...
;-) By the way: the AccessAuthoritative directive in
mod_authz_default is wrong-named, isn't it? I think, it should be
AuthzDefaultAuthoritative. No patch for this, because trivial ;-)
Um, well, sure, I guess.
- authoritative.diff:
when asking the providers for authentication, the main loop should
not only break, if access is granted. It should also break, if
access was *denied* by one provider. To be safe, it has to break
also, if an error occured. So the patch turns the condition around
and continues only, if the user was not found.
I find it also weird, that if auth was denied (by password
usually), the AuthBasicAuthoritative behaviour can override that
by "passing to lower modules". The patch changes that behaviour,
too.
I'm kind of on the fence about that. I was originally thinking
optimistically, but yeah, it might make sense to do it
pessimistically. If there's any error, bug out.
- null.diff:
outch. there are some possible NULL pointer references. Have you
ever tried AuthDigestProvider dbm? This results in a great kaboom.
The patch makes apache throw an error, if someone tries a
provider, that doesn't support the particular auth scheme.
Yeah, this is what caught Fred a few weeks ago when he didn't have
mod_authn_file installed.
- anon2p.diff
mod_authn_anon should be a provider, too, shouln't it? this patch
resolves that. That drops the Anonymous_Authoritative directive,
of course. By the way, is now the time to give the anon directives
a better face? ;-))
Haven't had a chance to look at this patch, but the rest of them look
good. +1. (*mumble about not having time to commit anything right
now*) -- justin
