From 4e806081638f22dade6802c2996295d263d3e377 Mon Sep 17 00:00:00 2001
From: neil_a_wilson <neil_a_wilson@localhost>
Date: Mon, 12 Feb 2007 16:39:30 +0000
Subject: [PATCH] Implement support for the proxied-auth privilege, which will be required in order to use the proxied authorization control.  This privilege is also used to determine whether a user can specify an alternate authorization identity for the SASL DIGEST-MD5 and PLAIN mechanisms.

---
 opends/src/server/org/opends/server/core/AddOperation.java |   26 ++++++++++++++++++++++----
 1 files changed, 22 insertions(+), 4 deletions(-)

diff --git a/opends/src/server/org/opends/server/core/AddOperation.java b/opends/src/server/org/opends/server/core/AddOperation.java
index 6d0bd25..6c79f9f 100644
--- a/opends/src/server/org/opends/server/core/AddOperation.java
+++ b/opends/src/server/org/opends/server/core/AddOperation.java
@@ -1775,6 +1775,17 @@
             }
             else if (oid.equals(OID_PROXIED_AUTH_V1))
             {
+              // The requester must have the PROXIED_AUTH privilige in order to
+              // be able to use this control.
+              if (! clientConnection.hasPrivilege(Privilege.PROXIED_AUTH, this))
+              {
+                int msgID = MSGID_PROXYAUTH_INSUFFICIENT_PRIVILEGES;
+                appendErrorMessage(getMessage(msgID));
+                setResultCode(ResultCode.AUTHORIZATION_DENIED);
+                break addProcessing;
+              }
+
+
               ProxiedAuthV1Control proxyControl;
               if (c instanceof ProxiedAuthV1Control)
               {
@@ -1814,12 +1825,21 @@
               }
 
 
-              // FIXME -- Should we specifically check permissions here, or let
-              //          the earlier access control checks handle it?
               setAuthorizationEntry(authorizationEntry);
             }
             else if (oid.equals(OID_PROXIED_AUTH_V2))
             {
+              // The requester must have the PROXIED_AUTH privilige in order to
+              // be able to use this control.
+              if (! clientConnection.hasPrivilege(Privilege.PROXIED_AUTH, this))
+              {
+                int msgID = MSGID_PROXYAUTH_INSUFFICIENT_PRIVILEGES;
+                appendErrorMessage(getMessage(msgID));
+                setResultCode(ResultCode.AUTHORIZATION_DENIED);
+                break addProcessing;
+              }
+
+
               ProxiedAuthV2Control proxyControl;
               if (c instanceof ProxiedAuthV2Control)
               {
@@ -1859,8 +1879,6 @@
               }
 
 
-              // FIXME -- Should we specifically check permissions here, or let
-              //          the earlier access control checks handle it?
               setAuthorizationEntry(authorizationEntry);
             }
 

--
Gitblit v1.10.0