From ac5e039ec09e386fdf4cef2d6a88d5a0717572da Mon Sep 17 00:00:00 2001
From: coulbeck <coulbeck@localhost>
Date: Tue, 06 Mar 2007 21:30:53 +0000
Subject: [PATCH] Implement access control checking for the modify increment operation.  The same checks are made for increment as would be made for a replace.  However, the access control handler needs to have the modified entry available so the access control handler is called later in the modify operation after the modified entry has been set.  This change has been discussed with Mike and Neil.

---
 opends/src/server/org/opends/server/core/ModifyOperation.java |   42 ++++++++++++++++++++++--------------------
 1 files changed, 22 insertions(+), 20 deletions(-)

diff --git a/opends/src/server/org/opends/server/core/ModifyOperation.java b/opends/src/server/org/opends/server/core/ModifyOperation.java
index 50d9364..8623ba4 100644
--- a/opends/src/server/org/opends/server/core/ModifyOperation.java
+++ b/opends/src/server/org/opends/server/core/ModifyOperation.java
@@ -1164,26 +1164,6 @@
         }
 
 
-        // Check to see if the client has permission to perform the
-        // modify.
-
-        // FIXME: for now assume that this will check all permission
-        // pertinent to the operation. This includes proxy authorization
-        // and any other controls specified.
-
-        // FIXME: earlier checks to see if the entry already exists may
-        // have already exposed sensitive information to the client.
-        if (AccessControlConfigManager.getInstance()
-            .getAccessControlHandler().isAllowed(this) == false) {
-          setResultCode(ResultCode.INSUFFICIENT_ACCESS_RIGHTS);
-
-          int msgID = MSGID_MODIFY_AUTHZ_INSUFFICIENT_ACCESS_RIGHTS;
-          appendErrorMessage(getMessage(msgID, String.valueOf(entryDN)));
-
-          skipPostOperation = true;
-          break modifyProcessing;
-        }
-
         // Get the password policy state object for the entry that can be used
         // to perform any appropriate password policy processing.  Also, see if
         // the entry is being updated by the end user or an administrator.
@@ -2374,6 +2354,28 @@
         }
 
 
+        // Check to see if the client has permission to perform the
+        // modify.
+        // The access control check is not made any earlier because the
+        // handler needs access to the modified entry.
+
+        // FIXME: for now assume that this will check all permission
+        // pertinent to the operation. This includes proxy authorization
+        // and any other controls specified.
+
+        // FIXME: earlier checks to see if the entry already exists may
+        // have already exposed sensitive information to the client.
+        if (AccessControlConfigManager.getInstance()
+            .getAccessControlHandler().isAllowed(this) == false) {
+          setResultCode(ResultCode.INSUFFICIENT_ACCESS_RIGHTS);
+
+          int msgID = MSGID_MODIFY_AUTHZ_INSUFFICIENT_ACCESS_RIGHTS;
+          appendErrorMessage(getMessage(msgID, String.valueOf(entryDN)));
+
+          skipPostOperation = true;
+          break modifyProcessing;
+        }
+
         // Make sure that the new entry is valid per the server schema.
         if (DirectoryServer.checkSchema())
         {

--
Gitblit v1.10.0