mirror of https://github.com/OpenIdentityPlatform/OpenDJ.git
parent: 060f87ef | patch | commit | show whitespace
dugan
24.21.2007 8cc8cc816af3eb836c72b21b7566b3f948c4c268 
Fix problem where a non-global ACI containing an "extop" keyword target was erroneously being evaluated for all operations, instead of extended operations only.  
The was causing the results of the ldapsearch in issue 2509 to not return results when it should have.
Issue 2509.
1 files modified
10 ■■■■■ changed files
opendj-sdk/opends/src/server/org/opends/server/authorization/dseecompat/Aci.java 10 ●●●●● patch | view | raw | blame | history 
 opendj-sdk/opends/src/server/org/opends/server/authorization/dseecompat/Aci.java


@@ -460,8 +460,15 @@


         return AciTargets.isTargetApplicable(aci, matchCtx) &&


                AciTargets.isTargetControlApplicable(aci, matchCtx);


      } else {


        //If an ACI has extOp or targetControl targets skip it because the


        //matchCtx right does not contain either ACI_EXT_OP or ACI_CONTROL at


        //this point.


        if(aci.getTargets().getExtOp() != null ||


          (aci.getTargets().getTargetControl() != null)) {


           return false;


        } else {


        int ctxRights = matchCtx.getRights();


        //First check if the ACI and context have similar rights.


        //Check if the ACI and context have similar rights.


        if(!aci.hasRights(ctxRights)) {


          if(!(aci.hasRights(ACI_SEARCH| ACI_READ) &&


                  matchCtx.hasRights(ACI_SEARCH | ACI_READ)))


@@ -473,6 +480,7 @@


                AciTargets.isTargetAttrApplicable(aci, matchCtx);


      }


    }


    }




    /**


     * Check if the body of the ACI matches the rights specified.