From 5cdce74a9ac94e3a4b5e369b22ab6fcf9bbbb384 Mon Sep 17 00:00:00 2001
From: abobrov <abobrov@localhost>
Date: Mon, 18 May 2009 23:17:06 +0000
Subject: [PATCH] - patch [Issue 3984] & [Issue 3989] : Security issues with Assertion, Pre-Read, Post-Read Controls.

---
 opends/src/server/org/opends/server/api/AccessControlHandler.java |   42 ++++++++++++++++++++++++++++++++++++++++++
 1 files changed, 42 insertions(+), 0 deletions(-)

diff --git a/opends/src/server/org/opends/server/api/AccessControlHandler.java b/opends/src/server/org/opends/server/api/AccessControlHandler.java
index ccb590a..6f5f534 100644
--- a/opends/src/server/org/opends/server/api/AccessControlHandler.java
+++ b/opends/src/server/org/opends/server/api/AccessControlHandler.java
@@ -319,6 +319,30 @@
 
 
   /**
+   * Indicates whether the provided operation search filter is allowed
+   * based on the access control configuration. This method should not
+   * alter the provided operation in any way.
+   *
+   * @param operation
+   *          The operation for which to make the determination.
+   * @param entry
+   *          The entry for which to make the determination.
+   * @param filter
+   *          The filter to check access on.
+   * @return {@code true} if the operation should be allowed by the
+   *         access control configuration, or {@code false} if not.
+   * @throws DirectoryException
+   *           If an error occurred while performing the access
+   *           control check. For example, if an attribute could not
+   *           be decoded. Care must be taken not to expose any
+   *           potentially sensitive information in the exception.
+   */
+  public abstract boolean isAllowed(Operation operation, Entry entry,
+    SearchFilter filter) throws DirectoryException;
+
+
+
+  /**
    * Indicates whether the provided search result entry may be sent to
    * the client. Implementations <b>must not under any
    * circumstances</b> modify the search entry in any way.
@@ -357,6 +381,24 @@
 
 
   /**
+   * Filter the contents of the provided entry such that it no longer
+   * contains any attributes or values that the client is not
+   * permitted to access.
+   *
+   * @param operation
+   *          The operation with which the provided entry is
+   *          associated.
+   * @param entry
+   *          The entry to be filtered.
+   * @return Returns the entry with filtered attributes and values
+   *         removed.
+   */
+  public abstract SearchResultEntry filterEntry(
+      Operation operation, Entry entry);
+
+
+
+  /**
    * Indicates whether the provided search result reference may be
    * sent to the client based on the access control configuration.
    *

--
Gitblit v1.10.0