Fix a bug in authz logic merging which caused

section->op == AUTHZ_LOGIC_AND auth_result == AUTHZ_DENIED_NO_USER child_result == AUTHZ_GRANTED to return AUTHZ_GRANTED instead of AUTHZ_DENIED_NO_USER. While there, refactor the if blocks to make them a bit more readable. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1056713 13f79535-47bb-0310-9956-ffa450edef68
author: Stefan Fritsch <sf@apache.org> 2011-01-08 15:29:12 +0100
committer: Stefan Fritsch <sf@apache.org> 2011-01-08 15:29:12 +0100
commit: 4545ed5fcc08e102f4b4c39ff60f107abb5dfb5e (patch)
tree: b1cfefe3edd43bb540e4aa8b8bd2f67c803ceaff
parent: Add rpluem's suggested warning against of loss of logging data on a crash. (diff)
download: apache2-4545ed5fcc08e102f4b4c39ff60f107abb5dfb5e.tar.xz
apache2-4545ed5fcc08e102f4b4c39ff60f107abb5dfb5e.zip
2 files changed, 24 insertions, 14 deletions
diff --git a/CHANGES b/CHANGES
index 42a65dfbc6..66f0c0b0e2 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2,6 +2,9 @@
 
 Changes with Apache 2.3.11
 
+  *) mod_authz_core: Fix bug in merging logic if user-based and non-user-based
+     authorization directives were mixed. [Stefan Fritsch]
+
   *) mod_authn_socache: change directive name from AuthnCacheProvider
      to AuthnCacheProvideFor.  The term "provider" is overloaded in
      this module, and we should avoid confusion between the provider
diff --git a/modules/aaa/mod_authz_core.c b/modules/aaa/mod_authz_core.c
index 6d4e893634..8be3487b36 100644
--- a/modules/aaa/mod_authz_core.c
+++ b/modules/aaa/mod_authz_core.c
@@ -730,21 +730,28 @@ static authz_status apply_authz_sections(request_rec *r,
                  * AUTHZ_DENIED_NO_USER if providing a user may change the
                  * result, AUTHZ_DENIED otherwise.
                  */
-                if (!(section->op == AUTHZ_LOGIC_AND
-                      && auth_result == AUTHZ_DENIED
-                      && child_result == AUTHZ_DENIED_NO_USER)
-                    && !(section->op == AUTHZ_LOGIC_OR
-                         && auth_result == AUTHZ_DENIED_NO_USER
-                         && child_result == AUTHZ_DENIED) )
-                {
-                    auth_result = child_result;
+                if (section->op == AUTHZ_LOGIC_AND) {
+                    if (child_result == AUTHZ_DENIED) {
+                        auth_result = child_result;
+                        break;
+                    }
+                    if ((child_result == AUTHZ_DENIED_NO_USER
+                         && auth_result != AUTHZ_DENIED)
+                        || (auth_result == AUTHZ_NEUTRAL)) {
+                        auth_result = child_result;
+                    }
                 }
-
-                if ((section->op == AUTHZ_LOGIC_AND
-                     && child_result == AUTHZ_DENIED)
-                    || (section->op == AUTHZ_LOGIC_OR
-                        && child_result == AUTHZ_GRANTED)) {
-                    break;
+                else {
+                    /* AUTHZ_LOGIC_OR */
+                    if (child_result == AUTHZ_GRANTED) {
+                        auth_result = child_result;
+                        break;
+                    }
+                    if ((child_result == AUTHZ_DENIED_NO_USER
+                         && auth_result == AUTHZ_DENIED)
+                        || (auth_result == AUTHZ_NEUTRAL)) {
+                        auth_result = child_result;
+                    }
                 }
             }
author	Stefan Fritsch <sf@apache.org>	2011-01-08 15:29:12 +0100
committer	Stefan Fritsch <sf@apache.org>	2011-01-08 15:29:12 +0100
commit	4545ed5fcc08e102f4b4c39ff60f107abb5dfb5e (patch)
tree	b1cfefe3edd43bb540e4aa8b8bd2f67c803ceaff
parent	Add rpluem's suggested warning against of loss of logging data on a crash. (diff)
download	apache2-4545ed5fcc08e102f4b4c39ff60f107abb5dfb5e.tar.xz apache2-4545ed5fcc08e102f4b4c39ff60f107abb5dfb5e.zip