From 777a6cd427a2cafcb5e10f2814c3cd623ebc22b6 Mon Sep 17 00:00:00 2001
From: dugan <dugan@localhost>
Date: Thu, 31 May 2007 16:59:31 +0000
Subject: [PATCH] Fix erroneous delete and proxy effective rights results. Issue 1620.

---
 opends/src/server/org/opends/server/authorization/dseecompat/AciBody.java |   37 ++++++++++++++++++++++++++++++++++++-
 1 files changed, 36 insertions(+), 1 deletions(-)

diff --git a/opends/src/server/org/opends/server/authorization/dseecompat/AciBody.java b/opends/src/server/org/opends/server/authorization/dseecompat/AciBody.java
index 2300504..f14e5ad 100644
--- a/opends/src/server/org/opends/server/authorization/dseecompat/AciBody.java
+++ b/opends/src/server/org/opends/server/authorization/dseecompat/AciBody.java
@@ -284,7 +284,7 @@
             if(evalCtx.isDenyEval() &&
                     (p.hasAccessType(EnumAccessType.ALLOW)))
                 continue;
-            if(!p.hasRights(evalCtx.getRights()))
+            if(!p.hasRights(getEvalRights(evalCtx)))
                 continue;
             res=p.getBindRule().evaluate(evalCtx);
             // The evaluation result could be FAIL. Stop processing and return
@@ -318,4 +318,39 @@
   public String getName() {
       return this.name;
     }
+
+
+  /**
+   * Mainly used because geteffectiverights adds flags to the rights that aren't
+   * needed in the actual evaluation of the ACI. This routine returns only the
+   * rights needed in the evaluation. The order does matter, ACI_SELF evaluation
+   * needs to be before ACI_WRITE.
+   *
+   * @param evalCtx  The evaluation context to determine the rights of.
+   * @return  The evaluation rights to used in the evaluation.
+   */
+  private int getEvalRights(AciEvalContext evalCtx) {
+    if(evalCtx.hasRights(ACI_WRITE) &&
+            evalCtx.hasRights(ACI_SELF))
+      return ACI_SELF;
+    else  if(evalCtx.hasRights(ACI_COMPARE))
+      return ACI_COMPARE;
+    else if(evalCtx.hasRights(ACI_SEARCH))
+      return ACI_SEARCH;
+    else if(evalCtx.hasRights(ACI_READ))
+      return ACI_READ;
+    else if(evalCtx.hasRights(ACI_DELETE))
+      return ACI_DELETE;
+    else if(evalCtx.hasRights(ACI_ADD))
+      return ACI_ADD;
+    else if(evalCtx.hasRights(ACI_WRITE))
+      return ACI_WRITE;
+    else if(evalCtx.hasRights(ACI_PROXY))
+      return ACI_PROXY;
+    else if(evalCtx.hasRights(ACI_IMPORT))
+      return ACI_IMPORT;
+    else if(evalCtx.hasRights(ACI_EXPORT))
+      return ACI_EXPORT;
+    return ACI_NULL;
+  }
 }

--
Gitblit v1.10.0