On Sunday 01 November 2009, Nick Kew wrote: > On 31 Oct 2009, at 23:14, Stefan Fritsch wrote: > > Hi, > > > > consider this config: > > =================== > > <Location /sec> > > [chop] > > <Location /> > > [chop] > > =================== > > > > From the LimitExcept docs, I would expect that the <Location /> > > block does not affect GET/POST requests at all. But actually, it > > is allowing access from everywhere, overriding the previous > > <Location /sec> block. > > http://httpd.apache.org/docs/2.2/sections.html#mergin > I am aware that directives in the <Location /> section override directives in the earlier <Location /sec> section. But the <Location /> does _not_ contain anything that affects GET/POST. Therefore I would expect that the <Location /sec> section still applies for GET/POST.
The problem is that <LimitExcept X> ... some access control ... </LimitExcept> is treated as <LimitExcept X> ... some access control ... </LimitExcept> <Limit X> Allow from all </Limit> but this is not obvious from the documentation. And it makes it a PITA to globally disallow certain methods (except if using mod_rewrite).
