From: Ruediger Pluem
-Syntax: <Limit method [method] ... > ...
</Limit>
-Context: server config, virtual host, directory, .htaccess
+Override: All
+Context: directory, .htaccess Override: AuthConfig, Limit Status: Core
@@ -1643,13 +1643,44 @@ methods
Module: core LOCK, and UNLOCK. The method name is
case-sensitive. If GET is used it will also
restrict HEAD requests. The TRACE method
- cannot be limited (see <TraceEnable>).
TraceEnable).
<LimitExcept> section should always be
- used in preference to a <Limit> section when restricting access,
- since a <LimitExcept> section provides protection
+ used in preference to a <Limit>
+ section when restricting access, since a <LimitExcept> section provides protection
against arbitrary methods.The <Limit> and
+ <LimitExcept>
+ directives may be nested. In this case, each successive level of
+ <Limit> or <LimitExcept> directives must
+ further restrict the set of methods to which access controls apply.
<Limit> or
+ <LimitExcept> directives with
+ the Require directive,
+ note that the first Require
+ to succeed authorizes the request, regardless of the presence of other
+ Require directives.For example, given the following configuration, all users will
+ be authorized for POST requests, and the
+ Require group editors directive will be ignored
+ in all cases:
+ <LimitExcept GET>
+
+ Require valid-user
+
+ </LimitExcept>
+ <Limit POST>
+
+ Require group editors
+
+ </Limit>
+
<LimitExcept method [method] ... > ...
</LimitExcept>