Chris Darroch said the following on 10/29/2008 10:35 PM:
<Directory /humans_and_friendlies_only>
Require valid-user
<SatisfyNotAll>
Require group alien
<SatisfyAny>
Require group hostile
Require group neutral
Require group noninterventionist
</SatisfyAny>
</SatisfyNotAll>
</Directory>
I wonder if we have to stick with building up complicated authorization
expressions by nesting many different directives.
I'd find it much easier to understand if we had fewer directives, and
just built up the more complicated ideas by writing boolean expressions,
which most of us already know how to cope with.
I'm picturing something like this:
<Directory /humans_only>
AuthorizeIf valid-user AND member-of-group human
</Directory>
Maybe with some syntactic sugar to help break things down into
understandable chunks:
DefineAuthorization friendly NOT (member-of-group hostile OR
member-of-group neutral OR member-of-group noninterventionist)
DefineAuthorization human NOT (member-of-group alien)
<Directory /humans_and_friendlies_only>
AuthorizeIf valid-user AND (human OR friendly)
</Directory>
We could add a few more pre-defined primitives that could be used in
expressions, such as
# Inherit parent authorization, and add another condition
AuthorizeIf authorized-in-parent AND member-of-group vips
# Grant access to all
AuthorizeIf true
Granted, this is very different from the syntax in 2.2 configurations,
so migration would have to be considered. But it might be worthwhile if
something like this reduced confusion and questions on the lists.
Dan