On Fri, 2007-10-05 at 08:15 +0200, Magnus Holmgren wrote: > Errm. § 40.8 says (about the QUIT ACL) that "You do not need to have a final
> accept", and logically the same should apply to the not-QUIT ACL. It's only
> explicit denys that are forbidden (at least by the implementation). And by
> the way, that wasn't even the issue here.
Hrm...
I just read, and closed, #608 with the comments that an explicit deny in
the QUIT or not-QUIT ACLs is invalid per the spec.
Surely calling a child (nested) ACL which returns a deny is the same as
explicitly stating deny?
Or... thinking about it... in this case, with the child ACL returning an
explicit deny, the statement resolves (in human terms at least!) as:
accept acl = false
so any further processing of that ACL section will halt, and it'll drop
to the next part - as none is defined, that hits the implicit deny which
in the case of the QUIT and not-QUIT ACLs is irrelevant anyway, as the
connection has gone away already and no further access control is
possible.
The interesting part here is that by calling the child ACL from the QUIT
or not-QUIT ACL, should the same rules apply? IMO they should do - so
deny is an invalid verb in the child ACL aswell as the parent ACL for
QUIT and not-QUIT - but this may be argued against by others!