On Sat, Aug 3, 2013 at 1:41 PM, Mikhail T. <mi+t...@aldan.algebra.com> wrote: > 03.08.2013 02:05, Ben Reser wrote: > > You don't seriously expect the auth system to know all of those intricacies? > > Let me take a step back here. What I found about my particular situation is > -- using your own term -- absurd: > > The current behavior is not documented. > The current behavior is not even known: neither you, nor anybody else on > this list of httpd developers (!) were able to recognize it, when I first > asked, nor explain, what's happening. Asking elsewhere proved fruitless too. > The current behavior suffers from an obvious performance penalty -- wasting > CPU-cycles rerunning authz rules multiple times on each hit. > > You agree with that -- the only mitigation offered was: a) it used to be > even worse in 2.2; b) fixing it "would have to be done very carefully". > > Need anything more be said or written for a consensus, that things do need > fixing? And, as per point 3. above, not only on the documentation side... At > the very least, I'd say, there should be a way to turn it off per subconfig > (Location, Directory, or vhost). I don't know, how to do it. But it seems > rather obvious, that it needs to be done.
I don't agree re: necessity. As Ben said, httpd only knows that /tiv (where you tried to punch a hole) and the target of your Action directive have different per-directory configurations, so authorization is checked on the subrequest. It's erring on the side of running authz checks, and I don't disagree that it could be enhanced/optimized.
