<filter>
<FILTER ALLOWDOMAIN=stanford.edu ALLOWGROUP=my-grp>
This paragraph has a bunch of filters on it. We first restrict ourselves
to only the Stanford domain, so the rest of the world can't see this.
Then we add an extra overriding usergroup clause, so that anyone who is
user mogens with password foo or user foo with password bar can
read this paragraph.
<filter>
As long as the filters are of the same kind (ALLOWs) we can list them,
since we are only adding permissions.
<FILTER ALLOWGROUP=my-grp ALLOWDOMAIN=stanford.edu>
Yet another paragraph with a bunch of filters on it.
We first restrict ourselves to the users mogens and foo (group my-grp)
and then add the restriction that we must be in the Stanford
domain. This has exactly the same effect as the previous filter.
<filter>
If we swapped the last two DENYs we would not change anything, but swapping the
first two would be a bad idea, since they are different kinds: ALLOW and
DENY.
Swapping the first two would give us
<FILTER ALLOWGROUP=my-grp DENYUSER=foo DENYDOMAIN=foo.stanford.edu>
So first: allow any user who belongs to the group my-grp
(consisting of mogens and foo) to
see this, provided he is not user foo and the person is not
logged in from the machine foo.stanford.edu
If you are not foo, but are logged in from foo.stanford.edu, the filter
would strip out this part as the later DENY takes precedence.
<FILTER DENYUSER=foo ALLOWGROUP=mygrp DENYDOMAIN=foo.stanford.edu>
which means:
If the user is foo, ignore him, unless he is part of my-grp, which foo is.
Thus the initial DENYUSER restriction disappears. Even if you are part of
my-grp, if you happen to be logged in from foo.stanford.edu, you will
be ignored.