On 1/12/06, Brad Nicholes <[EMAIL PROTECTED]> wrote: > OK, try this on for size. Since Order,Allow,Deny are all hooked at > the access_checker stage, we should be able to add these directives back > in and allow them to function normally. The real problem is 'Satisfy' > because it had its fingers into the middle of > ap_process_request_internal(). So to get around this problem, I added > the directive back into mod_authz_host (along with Order,Allow,Deny) and > let it do it thing also. 'Satisfy All' is the default (as it was > before) meaning that if the access_checker fails or the authz_checker > fails, then the entire request fails. But if 'Satisfy Any' is specified > then if the access_checker fails, it makes a note of that fact in the > request_rec->notes and defers to the authz_checker. If the > authz_checker fails, obviously the request fails. But if the request > makes it all the way to the mod_authz_default handler, this handler > checks the note and determines whether or not to authorize or reject the > request based on what the current state of both access control and > authz. > > So what this means is that Order,Allow,Deny,Satisfy are back and > *should* function as before along side of the new authz model. This > should resolve the backward compatibility issue with the following > caveat. Both mod_authn_default and mod_authz_default modules must be > loaded. These module implement the catch-all handlers that allow things > to work if no authn or authz is implemented for a <Directory> or > <Location>. Otherwise access is automatically denied. What I would like > to see is the above *should* confirmed to be a *do*. In other words, I > am looking for some help testing this. Any takers? So far my testing > shows that things are good.
The idea seems right to me. I'll try to find time to do some testing, but I'm pretty backed-up at the moment. I would consider moving this compat code into mod_access_compat or something of the like so that it would be easy for people to select whether they want the clean new system or a mix of the new and old system. Since this change will not come until at least 2.4, I think it is acceptable to have module name changes (as we did from 2.0 to 2.2). Joshua.
