From 3f0d9ed26dc0071eb58994653ee6c026d1e503f4 Mon Sep 17 00:00:00 2001
From: dugan <dugan@localhost>
Date: Wed, 24 Oct 2007 21:21:32 +0000
Subject: [PATCH] Fix problem where a non-global ACI containing an "extop" keyword target was erroneously being evaluated for all operations, instead of extended operations only. The was causing the results of the ldapsearch in issue 2509 to not return results when it should have. Issue 2509.
---
opends/src/server/org/opends/server/authorization/dseecompat/Aci.java | 12 ++++++++++--
1 files changed, 10 insertions(+), 2 deletions(-)
diff --git a/opends/src/server/org/opends/server/authorization/dseecompat/Aci.java b/opends/src/server/org/opends/server/authorization/dseecompat/Aci.java
index 3f42e87..5c99c3d 100644
--- a/opends/src/server/org/opends/server/authorization/dseecompat/Aci.java
+++ b/opends/src/server/org/opends/server/authorization/dseecompat/Aci.java
@@ -460,18 +460,26 @@
return AciTargets.isTargetApplicable(aci, matchCtx) &&
AciTargets.isTargetControlApplicable(aci, matchCtx);
} else {
+ //If an ACI has extOp or targetControl targets skip it because the
+ //matchCtx right does not contain either ACI_EXT_OP or ACI_CONTROL at
+ //this point.
+ if(aci.getTargets().getExtOp() != null ||
+ (aci.getTargets().getTargetControl() != null)) {
+ return false;
+ } else {
int ctxRights = matchCtx.getRights();
- //First check if the ACI and context have similar rights.
+ //Check if the ACI and context have similar rights.
if(!aci.hasRights(ctxRights)) {
if(!(aci.hasRights(ACI_SEARCH| ACI_READ) &&
matchCtx.hasRights(ACI_SEARCH | ACI_READ)))
return false;
}
- return AciTargets.isTargetApplicable(aci, matchCtx) &&
+ return AciTargets.isTargetApplicable(aci, matchCtx) &&
AciTargets.isTargetFilterApplicable(aci, matchCtx) &&
AciTargets.isTargAttrFiltersApplicable(aci, matchCtx) &&
AciTargets.isTargetAttrApplicable(aci, matchCtx);
}
+ }
}
/**
--
Gitblit v1.10.0