On Tuesday 25 October 2005 00:29, you wrote: > This would be OK except that there is a bigger problem that I looked > into trying to fix at one point but never completed it. The problem is > the duplication of authorization types. Currently we have both > mod_authz_groupfile and mod_authz_dbm implementing the types "group" and > "file-group". This causes a problem because if both of these modules > are loaded and the configuration contains the directive: > > require group foo > or > require file-group > > which authorization module handles it? Well it seems to be completely > dependant on load order and/or the use of the directives > AuthzXXXAuthoritative. In addition to implementing an optional function > in mod_authz_owner to get the owner id, all authorization types should > probably be renamed to be unique. > > group - mod_authz_groupfile > dbm-group - mod_authz_dbm > dbd-group - mod_authz_dbd > ldap-group - mod_authnz_ldap (already done) > etc... > > thoughts on this...?
Well, AFAICS that ambiguity only really kicks in if you have both an AuthGroupFile and an AuthDBMGroupFile, which is something that would be equally(?) problematic in 1.x/2.0. Ugly - yes. Totally broken - no. Unless I'm missing something? That still leaves an aura of ambiguity hanging around AuthAuthoritative. Perhaps a better solution would be to replace that with something like AuthOrder user group dbm-group which specifies an order of authz checks, and makes the last one 'authoritative' in terms of the old logic. Of course that still leaves file-group looking lonely. Maybe what that wants is a provider from authz_[file|dbm|dbd|ldap|etc] ? -- Nick Kew
