From 777a6cd427a2cafcb5e10f2814c3cd623ebc22b6 Mon Sep 17 00:00:00 2001
From: dugan <dugan@localhost>
Date: Thu, 31 May 2007 16:59:31 +0000
Subject: [PATCH] Fix erroneous delete and proxy effective rights results. Issue 1620.
---
opends/src/server/org/opends/server/authorization/dseecompat/AciEffectiveRights.java | 24 +++++++++++++++++++-----
1 files changed, 19 insertions(+), 5 deletions(-)
diff --git a/opends/src/server/org/opends/server/authorization/dseecompat/AciEffectiveRights.java b/opends/src/server/org/opends/server/authorization/dseecompat/AciEffectiveRights.java
index 2ef9ad7..d37ec3a 100644
--- a/opends/src/server/org/opends/server/authorization/dseecompat/AciEffectiveRights.java
+++ b/opends/src/server/org/opends/server/authorization/dseecompat/AciEffectiveRights.java
@@ -105,6 +105,12 @@
//related to the "aclRightsInfo" attribute can be performed.
private static AttributeType aclRightsInfo = null;
+ //Attribute type used in the geteffectiverights selfwrite evaluation.
+ private static AttributeType dnAttributeType=null;
+
+ //The distinguishedName string.
+ private static final String dnAttrStr = "distinguishedname";
+
//String used to fill in the summary status field when access was allowed.
private static String ALLOWED="access allowed";
@@ -192,10 +198,12 @@
int attrMask=ACI_NULL;
if(aclRights == null)
aclRights =
- DirectoryServer.getAttributeType(aclRightsAttrStr.toLowerCase());
+ DirectoryServer.getAttributeType(aclRightsAttrStr.toLowerCase());
if(aclRightsInfo == null)
aclRightsInfo =
DirectoryServer.getAttributeType(aclRightsInfoAttrStr.toLowerCase());
+ if(dnAttributeType == null)
+ dnAttributeType = DirectoryServer.getAttributeType(dnAttrStr);
//Check if the attributes aclRights and aclRightsInfo were requested and
//add attributes less those two attributes to a new list of attribute types.
for(String a : searchAttributes) {
@@ -227,13 +235,13 @@
//return the specific attribute rights if they exist.
if(nonRightsAttrs.isEmpty()) {
e=addAttributeLevelRights(container,handler,attrMask,e,
- container.getSpecificAttributes(), skipCheck);
+ container.getSpecificAttributes(), skipCheck, true);
e=addEntryLevelRights(container,handler,attrMask,e, skipCheck);
} else {
e=addAttributeLevelRights(container,handler,attrMask,e,
- nonRightsAttrs,skipCheck);
+ nonRightsAttrs, skipCheck, false);
e=addAttributeLevelRights(container,handler,attrMask,e,
- container.getSpecificAttributes(), skipCheck);
+ container.getSpecificAttributes(), skipCheck, true);
e=addEntryLevelRights(container,handler,attrMask,e,skipCheck);
}
return e;
@@ -267,6 +275,8 @@
* @param attrList The list of attribute types to iterate over.
* @param skipCheck True if ACI evaluation was skipped because bypass-acl
* privilege was found.
+ * @param specificAttr True if this evaluation is result of specific
+ * attributes sent in the request.
* @return A SearchResultEntry with geteffectiverights attribute level
* information added to it.
*/
@@ -275,7 +285,8 @@
AciHandler handler, int mask,
SearchResultEntry retEntry,
List<AttributeType> attrList,
- boolean skipCheck) {
+ boolean skipCheck,
+ boolean specificAttr) {
//The attribute list might be null.
if(attrList == null)
@@ -311,6 +322,8 @@
ByteString clientDNStr=
new ASN1OctetString(container.getClientDN().toString());
AttributeValue val1=new AttributeValue(a, clientDNStr);
+ if(!specificAttr)
+ container.setCurrentAttributeType(dnAttributeType);
container.setCurrentAttributeValue(val1);
container.setRights(ACI_WRITE_ADD | ACI_SKIP_PROXY_CHECK);
evalInfo.append(rightsString(container, handler, skipCheck,
@@ -322,6 +335,7 @@
"selfwrite_delete"));
addAttrLevelRightsInfo(container, mask, a, retEntry, "selfwrite_delete");
evalInfo.append(',');
+ container.setCurrentAttributeType(a);
container.setCurrentAttributeValue(null);
container.setRights(ACI_PROXY | ACI_SKIP_PROXY_CHECK);
evalInfo.append(rightsString(container, handler, skipCheck, "proxy"));
--
Gitblit v1.10.0