- patch [Issue 3984] & [Issue 3989] : Security issues with Assertion, Pre-R...

abobrov

19.17.2009 5cdce74a9ac94e3a4b5e369b22ab6fcf9bbbb384

 opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendDeleteOperation.java

@@ -532,9 +532,18 @@

          try
          {
            // FIXME -- We need to determine whether the current user has
            //          permission to make this determination.
            SearchFilter filter = assertControl.getSearchFilter();

            // Check if the current user has permission to make
            // this determination.
            if (!AccessControlConfigManager.getInstance().
              getAccessControlHandler().isAllowed(this, entry, filter))
            {
              throw new DirectoryException(
                ResultCode.INSUFFICIENT_ACCESS_RIGHTS,
                ERR_CONTROL_INSUFFICIENT_ACCESS_RIGHTS.get(oid));
            }

            if (! filter.matchesEntry(entry))
            {
              throw new DirectoryException(ResultCode.ASSERTION_FAILED,
@@ -680,10 +689,11 @@
        }
      }

      // FIXME -- Check access controls on the entry to see if it should
      //          be returned or if any attributes need to be stripped
      //          out..
      SearchResultEntry searchEntry = new SearchResultEntry(entryCopy);
      // Check access controls on the entry and strip out
      // any not allowed attributes.
      SearchResultEntry searchEntry =
        AccessControlConfigManager.getInstance().
        getAccessControlHandler().filterEntry(this, entryCopy);
      LDAPPreReadResponseControl responseControl =
           new LDAPPreReadResponseControl(preReadRequest.isCritical(),
                                          searchEntry);