On Sat, Aug 3, 2013 at 2:34 PM, Mikhail T. <mi+t...@aldan.algebra.com> wrote: > 03.08.2013 14:14, Eric Covener wrote: > > I don't agree re: necessity. As Ben said, httpd only knows that /tiv > (where you tried to punch a hole) and the target of your Action > directive have different per-directory configurations, so > authorization is checked on the subrequest. It's erring on the side > of running authz checks, and I don't disagree that it could be > enhanced/optimized. > > Point is, it is erring. I asked Ben for possible use-cases and his two > examples were modules, which use the authorization rules to generate > different content depending on the result. Rather than to decide, whether to > authorize the request at all.
I didn't interpret his response that way. Those are modules that will create subrequests/internal redirects to new URIs that could have separate authz applied to them from the original URI -- you can't assume the server is any less interested in performing authz on them. Consider something as basic as (per-directory) mod_rewrite or mod_include. The server can't tell the difference between that and your mod_actions internal redirect to a new URI -- they need to be checked.
