Authorization checking

["Dirk.vanGulik" <Di...@jrc.it>]

I am not sure wether the message attached below has reached the 
list.

Essentially what the guy is proposing is to alway pass along the auth
information to cgi-scripts. (Or pass all header info along), even
if there is no auth set in apache.

This would allow client scripts, by using an modifed status reply
to 'fake' or do their own authorization control.

I think this is a very good idea.

If no one objects or has better ideas I will look into this and
ensure that all information from the header gets passed to the
cgi-scripts regardless of the auth checking. This is IMHO a
good thing anyway.

Of course, this does imply that the cgi authors will have to
be responsible for their own security stuff :-)

Dw.



----- Begin Included Message -----