I set up a server script directory called /bug containing the attached .htaccess file and script, test.cgi. In this configuration, GETing and POSTing /bug/test.cgi both require authentication. If the order of the Limit directives is reversed, neither requires authentication. Should the "satisfy all" and "satisfy any" directives be limited to the scope of the respective Limit directives? This setup is just to demonstrate the problem and not what I actually want to achieve. ------------------------ .htaccess ---------------------------------- AuthType Basic AuthName Basic AuthUserFile /usr/local/apache2/htaccess/htpasswd AuthGroupFile /usr/local/apache2/htaccess/htgroup <Limit GET> satisfy any allow from all require valid-user </Limit> <Limit POST> satisfy all allow from all require valid-user </Limit> ---------------------- test.cgi ------------------------- #!/bin/sh cat <<EOD Content-type: text/html Hello! <p> <form action="/bug/test.cgi" method="post"> <input type="submit"> </form> EOD ------------------------------------------------------------
It never worked. But considered useful ;) It was fixed in 2.1 and is a possible candidate for being backported into 2.0. Thanks for the report and for using Apache.