From 713d9fabc5e30e0dd4016328904dca66d75cf7e3 Mon Sep 17 00:00:00 2001
From: jdemendi <jdemendi@localhost>
Date: Tue, 31 Mar 2009 15:52:47 +0000
Subject: [PATCH] fix 3892, ACI evaluation is made optional when returning entries and references to clients

---
 opends/src/server/org/opends/server/core/SearchOperationBasis.java |   41 ++++++++++++++++++++++++++++++++++-------
 1 files changed, 34 insertions(+), 7 deletions(-)

diff --git a/opends/src/server/org/opends/server/core/SearchOperationBasis.java b/opends/src/server/org/opends/server/core/SearchOperationBasis.java
index f31ee88..fb1e83e 100644
--- a/opends/src/server/org/opends/server/core/SearchOperationBasis.java
+++ b/opends/src/server/org/opends/server/core/SearchOperationBasis.java
@@ -576,6 +576,15 @@
    */
   public final boolean returnEntry(Entry entry, List<Control> controls)
   {
+    return returnEntry(entry, controls, true);
+  }
+
+  /**
+   * {@inheritDoc}
+   */
+  public final boolean returnEntry(Entry entry, List<Control> controls,
+                                   boolean evaluateAci)
+  {
     boolean typesOnly = getTypesOnly();
 
     // See if the size limit has been exceeded.  If so, then don't send the
@@ -702,11 +711,14 @@
     }
 
     // Check to see if the entry can be read by the client.
-    SearchResultEntry tmpSearchEntry = new SearchResultEntry(entry,
+    if (evaluateAci)
+    {
+      SearchResultEntry tmpSearchEntry = new SearchResultEntry(entry,
         controls);
-    if (AccessControlConfigManager.getInstance()
-        .getAccessControlHandler().maySend(this, tmpSearchEntry) == false) {
-      return true;
+      if (AccessControlConfigManager.getInstance()
+          .getAccessControlHandler().maySend(this, tmpSearchEntry) == false) {
+        return true;
+      }
     }
 
     // Make a copy of the entry and pare it down to only include the set
@@ -803,8 +815,11 @@
 
     // FIXME: need some way to prevent plugins from adding attributes or
     // values that the client is not permitted to see.
-    searchEntry = AccessControlConfigManager.getInstance()
+    if (evaluateAci)
+    {
+      searchEntry = AccessControlConfigManager.getInstance()
         .getAccessControlHandler().filterEntry(this, searchEntry);
+    }
 
     // Invoke any search entry plugins that may be registered with the server.
     PluginResult.IntermediateResponse pluginResult =
@@ -842,6 +857,15 @@
    */
   public final boolean returnReference(DN dn, SearchResultReference reference)
   {
+    return returnReference(dn, reference, true);
+  }
+
+  /**
+   * {@inheritDoc}
+   */
+  public final boolean returnReference(DN dn, SearchResultReference reference,
+                                       boolean evaluateAci)
+  {
     // See if the time limit has expired.  If so, then don't send the entry and
     // indicate that the search should end.
     if ((getTimeLimit() > 0) && (TimeThread.getTime() >=
@@ -862,9 +886,12 @@
 
 
     // See if the client has permission to read this reference.
-    if (AccessControlConfigManager.getInstance()
+    if (evaluateAci)
+    {
+      if (AccessControlConfigManager.getInstance()
         .getAccessControlHandler().maySend(dn, this, reference) == false) {
-      return true;
+        return true;
+      }
     }
 
 

--
Gitblit v1.10.0