On Thu, Aug 1, 2013 at 7:54 PM, Mikhail T. <mi+t...@aldan.algebra.com> wrote: > 01.08.2013 22:47, Ben Reser написав(ла): >> That's not a bug at all. In some cases it may be necessary for >> authorization to run for sub-requests. > > Could you give an example or two? Thanks,
Sure. mod_autoindex automatically provides a directory listing of files under a path. However, by default it doesn't display any paths that you don't have access to, e.g. .htaccess. It does this by issuing subrequests for those other paths so that authz can run on them. (This behavior could be changed with IndexOptions ShowForbidden). mod_dav_svn. Numerous commands in SVN impact other paths than the URI (e.g. `svn list` which is similar to the autoindex case above, commiting a copy or move which touch two paths one of which is on in the URI but rather in the headers). mod_dav_svn issues sub requests for these other paths to find out if the actions are allowed on them. Because of the performance impact of this mod_dav_svn has the SVNPathAuthz directive to change this behavior. One of the possible values is short_circuit which causes mod_dav_svn to talk directly to mod_authz_svn rather than doing a subrequest. You might ask why don't we just do this by default? The reason being is if there are other authorization limits placed from other modules then they would no longer respected.
