From 5cdce74a9ac94e3a4b5e369b22ab6fcf9bbbb384 Mon Sep 17 00:00:00 2001
From: abobrov <abobrov@localhost>
Date: Mon, 18 May 2009 23:17:06 +0000
Subject: [PATCH] - patch [Issue 3984] & [Issue 3989] : Security issues with Assertion, Pre-Read, Post-Read Controls.

---
 opends/src/server/org/opends/server/authorization/dseecompat/AciHandler.java |   45 ++++++++++++++++++++++++++++-----------------
 1 files changed, 28 insertions(+), 17 deletions(-)

diff --git a/opends/src/server/org/opends/server/authorization/dseecompat/AciHandler.java b/opends/src/server/org/opends/server/authorization/dseecompat/AciHandler.java
index 829d1e9..c88ec16 100644
--- a/opends/src/server/org/opends/server/authorization/dseecompat/AciHandler.java
+++ b/opends/src/server/org/opends/server/authorization/dseecompat/AciHandler.java
@@ -230,24 +230,8 @@
 
 
 
-  /*
-   * TODO Rename this method. Needs to be changed in SearchOperation. I
-   * find the name of the filterEntry method to be misleading because it
-   * works on a search operation but has nothing to do with the search
-   * filter. Something like "removeDisallowedAttributes" would be
-   * clearer.
-   */
-
   /**
-   * Checks access on each attribute in an entry. It removes those
-   * attributes that fail access check.
-   *
-   * @param operation
-   *          The search operation class containing information to check
-   *          access on.
-   * @param entry
-   *          The entry containing the attributes.
-   * @return The entry to return minus filtered attributes.
+   * {@inheritDoc}
    */
   @Override
   public SearchResultEntry filterEntry(SearchOperation operation,
@@ -284,6 +268,19 @@
   /**
    * {@inheritDoc}
    */
+  @Override
+  public SearchResultEntry filterEntry(Operation operation, Entry entry)
+  {
+    AciLDAPOperationContainer operationContainer =
+        new AciLDAPOperationContainer(operation, (ACI_READ), entry);
+    return accessAllowedAttrs(operationContainer);
+  }
+
+
+
+  /**
+   * {@inheritDoc}
+   */
   @Override()
   public void finalizeAccessControlHandler()
   {
@@ -561,6 +558,20 @@
    * {@inheritDoc}
    */
   @Override
+  public boolean isAllowed(Operation operation, Entry entry,
+    SearchFilter filter) throws DirectoryException
+  {
+    AciLDAPOperationContainer operationContainer =
+        new AciLDAPOperationContainer(operation, (ACI_READ), entry);
+    return testFilter(operationContainer, filter);
+  }
+
+
+
+  /**
+   * {@inheritDoc}
+   */
+  @Override
   public boolean mayProxy(Entry proxyUser, Entry proxiedUser,
       Operation op)
   {

--
Gitblit v1.10.0