03.08.2013 15:19, Eric Covener ???????(??): > I didn't interpret his response that way. Those are modules that will > create subrequests/internal redirects to new URIs that could have > separate authz applied to them from the original URI -- you can't > assume the server is any less interested in performing authz on them. Ben's examples -- given in
CADkdwvRme0QObKdQVCjF+_h7St+CG8zDHhpnLXjup2V=kpq...@mail.gmail.com -- were mod_autoindex and mod_dav_svn. Both -- as far as I understood -- used additional authz-checks when generating the /body/ of the response. Not to decide, whether to authorize the request itself, but to decide, what exactly to send back after the authorization already succeeded. > The server can't tell the difference between that and > your mod_actions internal redirect to a new URI -- they need to be > checked. Then, perhaps, there should be a way for me to tell the server, that such a decision can be made for a particular Location (or Directory, or vhost). Yours, -mi