mirror of https://github.com/OpenIdentityPlatform/OpenDJ.git
parent: 05875933 | patch | commit | ignore whitespace
dugan
28.44.2007 805714dec1ec8a2e8082436a22df69838887df21 
Fix targetattr not equal operator giving access to an operational  attribute based on a user attribute not matching, or access given to a user attribute based on an operational attribute not matching. For example:

(targetattr != userpassword) 

should not give access to the operational attribute
createtimestamp.
1 files modified
42 ■■■■■ changed files
opends/src/server/org/opends/server/authorization/dseecompat/TargetAttr.java 42 ●●●●● patch | view | raw | blame | history 
 opends/src/server/org/opends/server/authorization/dseecompat/TargetAttr.java


@@ -117,6 +117,7 @@


        }


    }






    /**


     * Converts each element of an array of attribute strings


     * to attribute types and adds them to either the user attributes HashSet or


@@ -256,29 +257,40 @@


     * First check is to see if the attribute type is operational. If so then


     * a match is true if the allOpAttributes boolean is true or if the


     * attribute type is found in the operational attributes HashSet.


     * Both results can be negated if the expression operator is NOT_EQUALITY).


     *


     * Second check is similar to above, except the user attributes boolean


     * and HashSet is examined. Both results can be negated if the expression


     * operator is NOT_EQUALITT).


     * and HashSet is examined.


     *


     *


     * @param a The attribute type to evaluate.


     * @param targetAttr The targetAttr to apply to the attribute type.


     * @return True if the attribute type is applicable to the targetAttr.


     */


    private static


    boolean evalAttrType(AttributeType a, TargetAttr targetAttr) {


      private static


      boolean evalAttrType(AttributeType a, TargetAttr targetAttr) {


        boolean ret=false;


        if(a.isOperational()) {


            if(targetAttr.isAllOpAttributes() ||


                    targetAttr.opAttributes.contains(a))


                ret=true;


          if(targetAttr.isAllOpAttributes() ||


                  targetAttr.opAttributes.contains(a))


            ret=true;


          if(targetAttr.isAllOpAttributes() ||


             !targetAttr.opAttributes.isEmpty()) {


            if(targetAttr.getOperator().


                    equals(EnumTargetOperator.NOT_EQUALITY))


              ret=!ret;


          }


        } else {


            if(targetAttr.isAllUserAttributes() ||


                    targetAttr.attributes.contains(a))


                ret=true;


          if(targetAttr.isAllUserAttributes() ||


                  targetAttr.attributes.contains(a))


            ret=true;


          if(targetAttr.isAllUserAttributes() ||


                  !targetAttr.attributes.isEmpty()) {


            if(targetAttr.getOperator().


                    equals(EnumTargetOperator.NOT_EQUALITY))


              ret=!ret;


          }


        }


        if(targetAttr.getOperator().equals(EnumTargetOperator.NOT_EQUALITY))


            ret = !ret;


        return ret;


    }


}


      return ret;


      }


  }