From 46cab3f512175aad4993c54f245ef937736f353f Mon Sep 17 00:00:00 2001
From: dugan <dugan@localhost>
Date: Tue, 22 May 2007 12:32:21 +0000
Subject: [PATCH] Add needed check for entry match in testFilter NOT filter component processing. Issues 1621.

---
 opendj-sdk/opends/src/server/org/opends/server/authorization/dseecompat/AciHandler.java |   20 ++++++++++++++++----
 1 files changed, 16 insertions(+), 4 deletions(-)

diff --git a/opendj-sdk/opends/src/server/org/opends/server/authorization/dseecompat/AciHandler.java b/opendj-sdk/opends/src/server/org/opends/server/authorization/dseecompat/AciHandler.java
index 505937e..cb2c8f1 100644
--- a/opendj-sdk/opends/src/server/org/opends/server/authorization/dseecompat/AciHandler.java
+++ b/opendj-sdk/opends/src/server/org/opends/server/authorization/dseecompat/AciHandler.java
@@ -698,9 +698,12 @@
      * @param container  The container used in the access evaluation.
      * @param filter The filter to check access on.
      * @return  True if all attribute types in the filter have access.
+     * @throws DirectoryException If there is a problem matching the entry
+     *                            using the provided filter.
      */
     private boolean
-    testFilter(AciLDAPOperationContainer container, SearchFilter filter) {
+    testFilter(AciLDAPOperationContainer container, SearchFilter filter)
+    throws DirectoryException {
         boolean ret=true;
         switch (filter.getFilterType()) {
             case AND:
@@ -710,9 +713,14 @@
                         return false ;
                 break;
             }
-            case NOT:  {
+            case NOT: {
+                ret=false;
                 SearchFilter f = filter.getNotComponent();
-                ret=!testFilter(container, f);
+                if(f.matchesEntry(container.getResourceEntry()))
+                  ret=true;
+                if(ret)
+                  ret=testFilter(container, f);
+                ret=!ret;
                 break;
             }
             default: {
@@ -885,7 +893,11 @@
                       (ACI_SEARCH), entry);
       boolean ret;
       if(!(ret=skipAccessCheck(operation))) {
-          ret=testFilter(operationContainer, operation.getFilter());
+          try {
+            ret=testFilter(operationContainer, operation.getFilter());
+          } catch (DirectoryException ex)  {
+            ret=false;
+          }
           if (ret) {
               operationContainer.clearACIEvalAttributesRule(ACI_NULL);
               operationContainer.setRights(ACI_READ);

--
Gitblit v1.10.0