The documentation of the RequireAll directive says :
<RequireAll>and</RequireAll>are used to enclose a group of authorization directives of which none must fail and at least one must succeed in order for the directive to succeed.
This suggests that authorization directives have a "not failed" status which is not "success" either (or I am missing something, which is my point ;-)
This bug report (point 1) refers to tri-state authorization status (success / failure / neutral) but I couldn't find anything else about this, even in the official documentation.
Last point (maybe not directly related to this 3-state question but participating to my misunderstanding) : the "Access control by host" documentation page states
You can insert
notto negate a particular requirement. Note, that since anotis a negation of a value, it cannot be used by itself to allow or deny a request, asnot truedoes not constitutefalse.Thus, to deny a visit using a negation, the block must have one element that evaluates as
trueorfalse. For example, if you have someone (with IP 10.252.46.165) spamming your message board, and you want to keep them out, you could do the following:
<RequireAll>
Require all granted
Require not ip 10.252.46.165
</RequireAll>
To me, Require ip 10.252.46.165 would be :
- for the owner of that IP :
true - for anybody else :
false
and Require not ip 10.252.46.165 :
- for the owner of that IP :
false - for anybody else :
true
What's the point of emphasizing that "not true isn't false" ?
Can you, please, give some use cases with explanations ?
