Re: [AC] Access Control Algorithm

Thomas Roessler wrote:
> On 2007-05-07 10:18:30 -0700, Jonas Sicking wrote:
>> I have been thinking about this over the past few days and I actually think 
>> I agree with you. While it might be confusing that
>>
>> allow <*.bar.com> exclude <foo.bar.com>, allow <*.bar.com>
>>
>> allows foo.bar.com. I think it's even more confusing that
>>
>> allow <*.bar.com>, deny <foo.bar.com>
>>
>> does. So I think we should have both 'allow' and 'deny', both
>> with 'exclude'. Ordering is not important, but deny rules are
>> processed first.
> 
> I get back to my earlier argument: This suggests to a policy author
> that they can further restrict existing policies.  Have fun with the
> bugreports.

I'm all ears for other proposals, but I think it is critical that both 
the server operator and the content author can restrict access to the 
files to at least the default policy that UAs use today.

Anything else would make me very nervous to implement this at all.

I agree that you could make the server go through all the public files 
on the filesystem and modify them to add excludes as appropriate, or 
filter each request on the fly. However that system is significantly 
more complicated and I doubt that anyone would have that ready to go 
once the problem hits. It also does not allow the content author to 
override a server set AC header.

/ Jonas

Received on Monday, 21 May 2007 23:31:25 UTC