On 12/6/06, Nick Kew <[EMAIL PROTECTED]> wrote:
A corresponding authz hook will implement a "Require inherit"
to enable subrequests with "inherited" set to be authorized,
and will run ahead of "normal" authz hooks.
Would that be a good solution here?
I think you mean that if they have 'require inherit' that they bypass
the authz checks if it's a sub-req. Perhaps, but wow, people could
really bust their authz setups if they have allow /foo and deny
/foo/bar - especially with WebDAV accesses. I sort of think that
makes it just too easy to shoot themselves in the foot and disclose
something that they didn't intend to do. Maybe maybe make it "require
inherit-i-know-that-this-is-a-blatant-security-risk" - that might be
better, but still. =P -- justin
