This is from https://issues.apache.org/bugzilla/show_bug.cgi?id=49927
On Saturday 18 September 2010, bugzi...@apache.org wrote: > --- Comment #3 from Nick Kew <n...@webthing.com> 2010-09-18 > 06:38:34 EDT --- > > > No, the current documentation is correct. The semantics of > > Limit/LimitExcept is just insane. We should relly get rid if it > > in 2.4 and improve the docs for 2.2. Maybe the "unprotected" > > should be big, red, and blinking ;-) > > Agreed. We can even document it as superseded by > <If "$request-method ..."> > having of course checked the expression parser, which probably > needs updating to support things like > "... in GET,HEAD,OPTIONS,TRACE" > without some nasty great OR expression. What do other people think about removing <Limit> and <LimitExcept> and adding mod_allowmethods from the sandbox to easily forbid some methods? Or would this create too much trouble when upgrading configurations? BTW, we could also add an authz provider to allow things like Require method GET,HEAD,... Though this would be slower than mod_allowmethods because authz providers have to parse the require line on every request.