mirror of https://github.com/OpenIdentityPlatform/OpenDJ.git
parent: 121887a5 | patch | commit | show whitespace
dugan
24.21.2007 3f0d9ed26dc0071eb58994653ee6c026d1e503f4 
Fix problem where a non-global ACI containing an "extop" keyword target was erroneously being evaluated for all operations, instead of extended operations only.  
The was causing the results of the ldapsearch in issue 2509 to not return results when it should have.
Issue 2509.
1 files modified
10 ■■■■■ changed files
opends/src/server/org/opends/server/authorization/dseecompat/Aci.java 10 ●●●●● patch | view | raw | blame | history 
 opends/src/server/org/opends/server/authorization/dseecompat/Aci.java


@@ -460,8 +460,15 @@


         return AciTargets.isTargetApplicable(aci, matchCtx) &&


                AciTargets.isTargetControlApplicable(aci, matchCtx);


      } else {


        //If an ACI has extOp or targetControl targets skip it because the


        //matchCtx right does not contain either ACI_EXT_OP or ACI_CONTROL at


        //this point.


        if(aci.getTargets().getExtOp() != null ||


          (aci.getTargets().getTargetControl() != null)) {


           return false;


        } else {


        int ctxRights = matchCtx.getRights();


        //First check if the ACI and context have similar rights.


        //Check if the ACI and context have similar rights.


        if(!aci.hasRights(ctxRights)) {


          if(!(aci.hasRights(ACI_SEARCH| ACI_READ) &&


                  matchCtx.hasRights(ACI_SEARCH | ACI_READ)))


@@ -473,6 +480,7 @@


                AciTargets.isTargetAttrApplicable(aci, matchCtx);


      }


    }


    }




    /**


     * Check if the body of the ACI matches the rights specified.