From ed39262fa647434d4a0e31f07754a263ce2b16e3 Mon Sep 17 00:00:00 2001
From: neil_a_wilson <neil_a_wilson@localhost>
Date: Fri, 09 Feb 2007 21:51:09 +0000
Subject: [PATCH] Add an initial set of privilege support to OpenDS.  The current privileges are currently defined and implemented: * config-read (allow reading the configuration) * config-write (allow updating the configuration) * ldif-import (allow invoking LDIF import tasks) * ldif-export (allow invoking LDIF export tasks) * backend-backup (allow invoking backup tasks) * backend-restore (allow invoking restore tasks) * server-shutdown (allow invoking server shutdown tasks) * server-restart (allow invoking server restart tasks) * server-restart (allow invoking server restart tasks) * password-reset (allow resetting user passwords) * update-schema (allow updating the server schema) * privilege-change (allow changing the set of privileges for a user)

---
 opends/src/server/org/opends/server/backends/SchemaBackend.java |   16 ++++++++++++++++
 1 files changed, 16 insertions(+), 0 deletions(-)

diff --git a/opends/src/server/org/opends/server/backends/SchemaBackend.java b/opends/src/server/org/opends/server/backends/SchemaBackend.java
index 571c31f..6a4a349 100644
--- a/opends/src/server/org/opends/server/backends/SchemaBackend.java
+++ b/opends/src/server/org/opends/server/backends/SchemaBackend.java
@@ -57,6 +57,7 @@
 
 import org.opends.server.api.AlertGenerator;
 import org.opends.server.api.Backend;
+import org.opends.server.api.ClientConnection;
 import org.opends.server.api.ConfigurableComponent;
 import org.opends.server.api.MatchingRule;
 import org.opends.server.config.BooleanConfigAttribute;
@@ -103,6 +104,7 @@
 import org.opends.server.types.NameForm;
 import org.opends.server.types.ObjectClass;
 import org.opends.server.types.ObjectClassType;
+import org.opends.server.types.Privilege;
 import org.opends.server.types.RDN;
 import org.opends.server.types.RestoreConfig;
 import org.opends.server.types.ResultCode;
@@ -950,6 +952,20 @@
                       String.valueOf(modifyOperation));
 
 
+    // Make sure that the authenticated user has the necessary UPDATE_SCHEMA
+    // privilege.
+    ClientConnection clientConnection = modifyOperation.getClientConnection();
+    if (! clientConnection.hasPrivilege(Privilege.UPDATE_SCHEMA,
+                                        modifyOperation))
+    {
+      int    msgID   = MSGID_SCHEMA_MODIFY_INSUFFICIENT_PRIVILEGES;
+      String message = getMessage(msgID);
+      throw new DirectoryException(ResultCode.INSUFFICIENT_ACCESS_RIGHTS,
+                                   message, msgID);
+    }
+
+
+
     // At present, we only allow the addition of new attribute types,
     // object classes, name forms, DIT content rules, DIT structure rules, and
     // matching rule uses.  We will not support removing or replacing existing

--
Gitblit v1.10.0