From 4e806081638f22dade6802c2996295d263d3e377 Mon Sep 17 00:00:00 2001
From: neil_a_wilson <neil_a_wilson@localhost>
Date: Mon, 12 Feb 2007 16:39:30 +0000
Subject: [PATCH] Implement support for the proxied-auth privilege, which will be required in order to use the proxied authorization control.  This privilege is also used to determine whether a user can specify an alternate authorization identity for the SASL DIGEST-MD5 and PLAIN mechanisms.

---
 opends/src/server/org/opends/server/core/ModifyDNOperation.java |   27 +++++++++++++++++++++++----
 1 files changed, 23 insertions(+), 4 deletions(-)

diff --git a/opends/src/server/org/opends/server/core/ModifyDNOperation.java b/opends/src/server/org/opends/server/core/ModifyDNOperation.java
index 46a6402..e0a918d 100644
--- a/opends/src/server/org/opends/server/core/ModifyDNOperation.java
+++ b/opends/src/server/org/opends/server/core/ModifyDNOperation.java
@@ -69,6 +69,7 @@
 import org.opends.server.types.Modification;
 import org.opends.server.types.ModificationType;
 import org.opends.server.types.OperationType;
+import org.opends.server.types.Privilege;
 import org.opends.server.types.RDN;
 import org.opends.server.types.ResultCode;
 import org.opends.server.types.SearchFilter;
@@ -1284,6 +1285,17 @@
             }
             else if (oid.equals(OID_PROXIED_AUTH_V1))
             {
+              // The requester must have the PROXIED_AUTH privilige in order to
+              // be able to use this control.
+              if (! clientConnection.hasPrivilege(Privilege.PROXIED_AUTH, this))
+              {
+                int msgID = MSGID_PROXYAUTH_INSUFFICIENT_PRIVILEGES;
+                appendErrorMessage(getMessage(msgID));
+                setResultCode(ResultCode.AUTHORIZATION_DENIED);
+                break modifyDNProcessing;
+              }
+
+
               ProxiedAuthV1Control proxyControl;
               if (c instanceof ProxiedAuthV1Control)
               {
@@ -1323,12 +1335,21 @@
               }
 
 
-              // FIXME -- Should we specifically check permissions here, or let
-              //          the earlier access control checks handle it?
               setAuthorizationEntry(authorizationEntry);
             }
             else if (oid.equals(OID_PROXIED_AUTH_V2))
             {
+              // The requester must have the PROXIED_AUTH privilige in order to
+              // be able to use this control.
+              if (! clientConnection.hasPrivilege(Privilege.PROXIED_AUTH, this))
+              {
+                int msgID = MSGID_PROXYAUTH_INSUFFICIENT_PRIVILEGES;
+                appendErrorMessage(getMessage(msgID));
+                setResultCode(ResultCode.AUTHORIZATION_DENIED);
+                break modifyDNProcessing;
+              }
+
+
               ProxiedAuthV2Control proxyControl;
               if (c instanceof ProxiedAuthV2Control)
               {
@@ -1368,8 +1389,6 @@
               }
 
 
-              // FIXME -- Should we specifically check permissions here, or let
-              //          the earlier access control checks handle it?
               setAuthorizationEntry(authorizationEntry);
             }
 

--
Gitblit v1.10.0