From 5067760c866efc66b933457bd399affa47c9e9a4 Mon Sep 17 00:00:00 2001
From: matthew_swift <matthew_swift@localhost>
Date: Fri, 24 Apr 2009 12:52:54 +0000
Subject: [PATCH] Fix issue 3928: Wrong error message sent to access log (while correct one is in error log)

---
 opends/src/server/org/opends/server/authorization/dseecompat/AciHandler.java |   65 +++++++++++++-------------------
 1 files changed, 27 insertions(+), 38 deletions(-)

diff --git a/opends/src/server/org/opends/server/authorization/dseecompat/AciHandler.java b/opends/src/server/org/opends/server/authorization/dseecompat/AciHandler.java
index 8e8d4c7..829d1e9 100644
--- a/opends/src/server/org/opends/server/authorization/dseecompat/AciHandler.java
+++ b/opends/src/server/org/opends/server/authorization/dseecompat/AciHandler.java
@@ -77,6 +77,7 @@
 import org.opends.server.types.Operation;
 import org.opends.server.types.Privilege;
 import org.opends.server.types.RDN;
+import org.opends.server.types.ResultCode;
 import org.opends.server.types.SearchFilter;
 import org.opends.server.types.SearchResultEntry;
 import org.opends.server.types.SearchResultReference;
@@ -89,7 +90,7 @@
  * The AciHandler class performs the main processing for the dseecompat
  * package.
  */
-public class AciHandler extends
+public final class AciHandler extends
     AccessControlHandler<DseeCompatAccessControlHandlerCfg>
 {
   /**
@@ -318,6 +319,7 @@
    */
   @Override
   public boolean isAllowed(DN entryDN, Operation op, Control control)
+      throws DirectoryException
   {
     boolean ret;
     if (!(ret = skipAccessCheck(op)))
@@ -335,31 +337,20 @@
     }
     else if (control.getOID().equals(OID_GET_EFFECTIVE_RIGHTS))
     {
-      try
+      GetEffectiveRightsRequestControl getEffectiveRightsControl;
+      if (control instanceof LDAPControl)
       {
-        GetEffectiveRightsRequestControl getEffectiveRightsControl;
-        if (control instanceof LDAPControl)
-        {
-          getEffectiveRightsControl =
-              GetEffectiveRightsRequestControl.DECODER.decode(control
-                  .isCritical(), ((LDAPControl) control).getValue());
-        }
-        else
-        {
-          getEffectiveRightsControl =
-              (GetEffectiveRightsRequestControl) control;
-        }
-        op.setAttachment(OID_GET_EFFECTIVE_RIGHTS,
-            getEffectiveRightsControl);
+        getEffectiveRightsControl =
+            GetEffectiveRightsRequestControl.DECODER.decode(control
+                .isCritical(), ((LDAPControl) control).getValue());
       }
-      catch (DirectoryException de)
+      else
       {
-        Message message =
-            WARN_ACI_SYNTAX_DECODE_EFFECTIVERIGHTS_FAIL.get(de
-                .getMessage());
-        logError(message);
-        ret = false;
+        getEffectiveRightsControl =
+            (GetEffectiveRightsRequestControl) control;
       }
+      op.setAttachment(OID_GET_EFFECTIVE_RIGHTS,
+          getEffectiveRightsControl);
     }
     return ret;
   }
@@ -388,14 +379,11 @@
 
 
   /**
-   * Check access on add operations.
-   *
-   * @param operation
-   *          The add operation to check access on.
-   * @return True if access is allowed.
+   * {@inheritDoc}
    */
   @Override
   public boolean isAllowed(LocalBackendAddOperation operation)
+      throws DirectoryException
   {
     AciLDAPOperationContainer operationContainer =
         new AciLDAPOperationContainer(operation, ACI_ADD);
@@ -543,15 +531,11 @@
 
 
   /**
-   * Check access on modify operations.
-   *
-   * @param operation
-   *          The modify operation to check access on.
-   * @return True if access is allowed.
+   * {@inheritDoc}
    */
-
   @Override
   public boolean isAllowed(LocalBackendModifyOperation operation)
+      throws DirectoryException
   {
     AciLDAPOperationContainer operationContainer =
         new AciLDAPOperationContainer(operation, ACI_NULL);
@@ -910,9 +894,12 @@
    * @param skipAccessCheck
    *          True if access checking should be skipped.
    * @return True if access is allowed.
+   * @throws DirectoryException
+   *           If a modified ACI could not be decoded.
    */
   private boolean aciCheckMods(AciLDAPOperationContainer container,
       LocalBackendModifyOperation operation, boolean skipAccessCheck)
+      throws DirectoryException
   {
     Entry resourceEntry = container.getResourceEntry();
     DN dn = resourceEntry.getDN();
@@ -1044,8 +1031,8 @@
               Message message =
                   WARN_ACI_MODIFY_FAILED_DECODE.get(String.valueOf(dn),
                       ex.getMessage());
-              logError(message);
-              return false;
+              throw new DirectoryException(
+                  ResultCode.INVALID_ATTRIBUTE_SYNTAX, message);
             }
           }
         }
@@ -1598,9 +1585,11 @@
    *          The authorization DN.
    * @return True if the entry has no ACI attributes or if all of the
    *         "aci" attributes values pass ACI syntax checking.
+   * @throws DirectoryException
+   *           If a modified ACI could not be decoded.
    */
   private boolean verifySyntax(Entry entry, Operation operation,
-      DN clientDN)
+      DN clientDN) throws DirectoryException
   {
     if (entry.hasOperationalAttribute(aciType))
     {
@@ -1633,8 +1622,8 @@
             Message message =
                 WARN_ACI_ADD_FAILED_DECODE.get(String.valueOf(entry
                     .getDN()), ex.getMessage());
-            logError(message);
-            return false;
+            throw new DirectoryException(
+                ResultCode.INVALID_ATTRIBUTE_SYNTAX, message);
           }
         }
       }

--
Gitblit v1.10.0