From 4bddd152a9e15207d8003f6f74e70ebc6f07cc7e Mon Sep 17 00:00:00 2001
From: Valery Kharseko <vharseko@3a-systems.ru>
Date: Mon, 05 Aug 2024 13:48:27 +0000
Subject: [PATCH] [#84] FIX incorrect entry-Based ACIs is defined with only "deny" permission without "allow" (#372)

---
 opendj-server-legacy/src/main/java/org/opends/server/authorization/dseecompat/AciHandler.java |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

diff --git a/opendj-server-legacy/src/main/java/org/opends/server/authorization/dseecompat/AciHandler.java b/opendj-server-legacy/src/main/java/org/opends/server/authorization/dseecompat/AciHandler.java
index 76f6d76..17e6720 100644
--- a/opendj-server-legacy/src/main/java/org/opends/server/authorization/dseecompat/AciHandler.java
+++ b/opendj-server-legacy/src/main/java/org/opends/server/authorization/dseecompat/AciHandler.java
@@ -14,6 +14,7 @@
  * Copyright 2008-2010 Sun Microsystems, Inc.
  * Portions Copyright 2011-2016 ForgeRock AS.
  * Portions Copyright 2013 Manuel Gaupp
+ * Portions Copyright 2024 3A Systems, LLC.
  */
 package org.opends.server.authorization.dseecompat;
 
@@ -1032,7 +1033,7 @@
   {
     evalCtx.setEvaluationResult(NO_REASON, null);
 
-    if (evalCtx.getAllowList().isEmpty()
+    if (evalCtx.getAllowList().isEmpty() && evalCtx.getDenyList().isEmpty()
         && (!evalCtx.isGetEffectiveRightsEval()
             || evalCtx.hasRights(ACI_SELF)
             || !evalCtx.isTargAttrFilterMatchAciEmpty()))

--
Gitblit v1.10.0