On 15 May 2011, at 1:22 PM, Stefan Fritsch wrote:
So you implemented it more as a safeguard against confusion with "-
A" strings in existing expressions than as a security measure?
Yes.
Do you think that untrusted shmtl files are not a common use case?
In that case I would tend to the "people can always switch back to
the old restricted expression syntax" solution.
I don't follow what you mean by "untrusted shtml files"?
What the -A option does is say "if this particular request for this
URL would succeed should this particular user attempt to access this
particular URL directly, then show this data". Or in English, you
would use the -A option within a page to show or hide links to
something in a page depending on whether that person has access to
that link.
For example, to hide the link to JIRA from those that don't have
access to JIRA, do this:
<!--#if expr="-A /jira/"-->
<tr><td><a href="/jira/secure/Dashboard.jspa?os_authType=basic">JIRA</
a></td><td><li></td></tr>
<!--#endif-->
It works the exact same way that mod_autoindex works, which also sets
up subrequests to answer the question "should I display this
particular file in the directory listing". If the subrequest returns
some kind of error (>= 400), the module goes "oh well, access to that
file not permitted, will leave it off the list".
Regards,
Graham
--
