From ccff75199f162c9844970d95f5295421a4d27b18 Mon Sep 17 00:00:00 2001 From: Bradley Nicholes Date: Tue, 10 Jan 2006 16:35:10 +0000 Subject: [PATCH] Change to . The keyword 'Satisfy' seems to fit a little better since the blocks can contain both 'Require' and 'Reject' directives git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/authz-dev@367678 13f79535-47bb-0310-9956-ffa450edef68 --- docs/manual/howto/auth.xml | 20 +++++++++--------- docs/manual/mod/mod_authz_core.xml | 34 +++++++++++++++--------------- modules/aaa/mod_authz_core.c | 12 +++++------ 3 files changed, 33 insertions(+), 33 deletions(-) diff --git a/docs/manual/howto/auth.xml b/docs/manual/howto/auth.xml index 5e29279298a..cad2eb8e723 100644 --- a/docs/manual/howto/auth.xml +++ b/docs/manual/howto/auth.xml @@ -380,24 +380,24 @@ do? you can specify just part of an address or domain name:

- <RequireAll>
+ <SatisfyAll>
  Reject ip 192.101.205
  Reject host cyberthugs.com moreidiots.com
  Reject host ke
- </RequireAll> + </SatisfyAll>

Using the Reject directive - inside of a <RequireAll> + inside of a <SatisfyAll> block, will let you be sure that you are actually restricting things to only the group that you want to let in.

The above example uses the - <RequireAll> block to make sure that all of the + <SatisfyAll> block to make sure that all of the Reject directives are satisfied before granting access. The - <RequireAll> block as well as the - <RequireOne> block + <SatisfyAll> block as well as the + <SatisfyOne> block allow you to apply "AND" and "OR" logic to the authorization processing. For example the following authorization block would apply the logic:

@@ -418,14 +418,14 @@ do?   AuthBasicProvider ...
  ...
  Require user John
-   <RequireAll>
+   <SatisfyAll>
   Require Group admins
   Require ldap-group cn=mygroup,o=foo
-    <RequireOne>
+    <SatisfyOne>
    Require ldap-attribute dept="sales"
    Require file-group
-    </RequireOne>
-   </RequireAll>
+    </SatisfyOne>
+   </SatisfyAll>
</Directory>
diff --git a/docs/manual/mod/mod_authz_core.xml b/docs/manual/mod/mod_authz_core.xml index 52a57e345b3..9faac243eee 100644 --- a/docs/manual/mod/mod_authz_core.xml +++ b/docs/manual/mod/mod_authz_core.xml @@ -134,25 +134,25 @@ a resource -RequireAll +SatisfyAll Enclose a group of authorization directives that must all be satisfied in order to grant access to a resource. This block allows for 'AND' logic to be applied to various authorization providers. -<RequireAll> -... </RequireAll> +<SatisfyAll> +... </SatisfyAll> directory.htaccess AuthConfig -

RequireAll and - </RequireAll> are used to enclose a group of +

SatisfyAll and + </SatisfyAll> are used to enclose a group of authorization directives that must all be satisfied in order to grant access to a resource.

The - <RequireAll> block as well as the - <RequireOne> block + <SatisfyAll> block as well as the + <SatisfyOne> block allow you to apply "AND" and "OR" logic to the authorization processing. For example the following authorization block would apply the logic:

@@ -173,14 +173,14 @@ for 'AND' logic to be applied to various authorization providers.   AuthBasicProvider ...
  ...
  Require user John
-   <RequireAll>
+   <SatisfyAll>
   Require Group admins
   Require ldap-group cn=mygroup,o=foo
-    <RequireOne>
+    <SatisfyOne>
    Require ldap-attribute dept="sales"
    Require file-group
-    </RequireOne>
-   </RequireAll>
+    </SatisfyOne>
+   </SatisfyAll>
</Directory>
@@ -192,25 +192,25 @@ for 'AND' logic to be applied to various authorization providers. -RequireOne +SatisfyOne Enclose a group of authorization directives that must satisfy at least one in order to grant access to a resource. This block allows for 'OR' logic to be applied to various authorization providers. -<RequireOne> -... </RequireOne> +<SatisfyOne> +... </SatisfyOne> directory.htaccess AuthConfig -

RequireOne and - </RequireOne> are used to enclose a group of +

SatisfyOne and + </SatisfyOne> are used to enclose a group of authorization directives that must satisfy at least one in order to grant access to a resource.

See the - <RequireAll> directive for a usage example.

+ <SatisfyAll> directive for a usage example.

 diff --git a/modules/aaa/mod_authz_core.c b/modules/aaa/mod_authz_core.c index 68ee794fbe1..b3493ac4f74 100644 --- a/modules/aaa/mod_authz_core.c +++ b/modules/aaa/mod_authz_core.c @@ -70,15 +70,15 @@ X- Change the status code to AUTHZ_DENIED, AUTHZ_GRANTED is even necessary. This was used in authn to support authn_alias. Is there a need for an authz_alias? X- Remove the Satisfy directive functionality and replace it with the - , directives + , directives X- Remove the Satisfy directive -X- Implement the block directives +X- Implement the block directives to handle the 'and' and 'or' logic for authorization. X- Remove the AuthzXXXAuthoritative directives from all of the authz providers X- Implement the Reject directive that will deny authorization if the argument is true -X- Fold the Reject directive into the +X- Fold the Reject directive into the logic X- Reimplement the host based authorization 'allow', 'deny' and 'order' as authz providers @@ -414,7 +414,7 @@ static const char *authz_require_section(cmd_parms *cmd, void *mconfig, const ch the req_state and the level will allow it to traverse the list to find the last element in the provider calling list. */ old_reqstate = conf->req_state; - if (strcasecmp (cmd->directive->directive, "directive->directive, "req_state = AUTHZ_REQSTATE_ALL; } else { @@ -445,10 +445,10 @@ static const command_rec authz_cmds[] = AP_INIT_RAW_ARGS("