03.08.2013 15:19, Eric Covener ???????(??):
> I didn't interpret his response that way. Those are modules that will
> create subrequests/internal redirects to new URIs that could have
> separate authz applied to them from the original URI -- you can't
> assume the server is any less interested in performing authz on them.
Ben's examples -- given in
CADkdwvRme0QObKdQVCjF+_h7St+CG8zDHhpnLXjup2V=kpq...@mail.gmail.com
-- were mod_autoindex and mod_dav_svn. Both -- as far as I understood --
used additional authz-checks when generating the /body/ of the response.
Not to decide, whether to authorize the request itself, but to decide,
what exactly to send back after the authorization already succeeded.
> The server can't tell the difference between that and
> your mod_actions internal redirect to a new URI -- they need to be
> checked.
Then, perhaps, there should be a way for me to tell the server, that
such a decision can be made for a particular Location (or Directory, or
vhost).
Yours,
-mi
