From ed39262fa647434d4a0e31f07754a263ce2b16e3 Mon Sep 17 00:00:00 2001
From: neil_a_wilson <neil_a_wilson@localhost>
Date: Fri, 09 Feb 2007 21:51:09 +0000
Subject: [PATCH] Add an initial set of privilege support to OpenDS.  The current privileges are currently defined and implemented: * config-read (allow reading the configuration) * config-write (allow updating the configuration) * ldif-import (allow invoking LDIF import tasks) * ldif-export (allow invoking LDIF export tasks) * backend-backup (allow invoking backup tasks) * backend-restore (allow invoking restore tasks) * server-shutdown (allow invoking server shutdown tasks) * server-restart (allow invoking server restart tasks) * server-restart (allow invoking server restart tasks) * password-reset (allow resetting user passwords) * update-schema (allow updating the server schema) * privilege-change (allow changing the set of privileges for a user)

---
 opends/src/server/org/opends/server/core/ModifyOperation.java |   29 +++++++++++++++++++++++++++++
 1 files changed, 29 insertions(+), 0 deletions(-)

diff --git a/opends/src/server/org/opends/server/core/ModifyOperation.java b/opends/src/server/org/opends/server/core/ModifyOperation.java
index 999c39c..be01a29 100644
--- a/opends/src/server/org/opends/server/core/ModifyOperation.java
+++ b/opends/src/server/org/opends/server/core/ModifyOperation.java
@@ -81,6 +81,7 @@
 import org.opends.server.types.Modification;
 import org.opends.server.types.ModificationType;
 import org.opends.server.types.OperationType;
+import org.opends.server.types.Privilege;
 import org.opends.server.types.RDN;
 import org.opends.server.types.ResultCode;
 import org.opends.server.types.SearchFilter;
@@ -1283,6 +1284,18 @@
                      pwPolicyState.getPasswordAttribute()))
             {
               passwordChanged = true;
+              if (! selfChange)
+              {
+                if (! clientConnection.hasPrivilege(Privilege.PASSWORD_RESET,
+                                                    this))
+                {
+                  int msgID = MSGID_MODIFY_PWRESET_INSUFFICIENT_PRIVILEGES;
+                  appendErrorMessage(getMessage(msgID));
+                  setResultCode(ResultCode.INSUFFICIENT_ACCESS_RIGHTS);
+                  break modifyProcessing;
+                }
+              }
+
               break;
             }
           }
@@ -1371,6 +1384,22 @@
           }
 
 
+          // See if the attribute is one which controls the privileges available
+          // for a user.  If it is, then the client must have the
+          // PRIVILEGE_CHANGE privilege.
+          if (t.hasName(OP_ATTR_PRIVILEGE_NAME))
+          {
+            if (! clientConnection.hasPrivilege(Privilege.PRIVILEGE_CHANGE,
+                                                this))
+            {
+              int msgID = MSGID_MODIFY_CHANGE_PRIVILEGE_INSUFFICIENT_PRIVILEGES;
+              appendErrorMessage(getMessage(msgID));
+              setResultCode(ResultCode.INSUFFICIENT_ACCESS_RIGHTS);
+              break modifyProcessing;
+            }
+          }
+
+
           // If the modification is updating the password attribute, then
           // perform any necessary password policy processing.  This processing
           // should be skipped for synchronization operations.

--
Gitblit v1.10.0