From ed39262fa647434d4a0e31f07754a263ce2b16e3 Mon Sep 17 00:00:00 2001
From: neil_a_wilson <neil_a_wilson@localhost>
Date: Fri, 09 Feb 2007 21:51:09 +0000
Subject: [PATCH] Add an initial set of privilege support to OpenDS.  The current privileges are currently defined and implemented: * config-read (allow reading the configuration) * config-write (allow updating the configuration) * ldif-import (allow invoking LDIF import tasks) * ldif-export (allow invoking LDIF export tasks) * backend-backup (allow invoking backup tasks) * backend-restore (allow invoking restore tasks) * server-shutdown (allow invoking server shutdown tasks) * server-restart (allow invoking server restart tasks) * server-restart (allow invoking server restart tasks) * password-reset (allow resetting user passwords) * update-schema (allow updating the server schema) * privilege-change (allow changing the set of privileges for a user)

---
 opends/src/server/org/opends/server/extensions/PasswordModifyExtendedOperation.java |   33 +++++++++++++++++++++++++++++----
 1 files changed, 29 insertions(+), 4 deletions(-)

diff --git a/opends/src/server/org/opends/server/extensions/PasswordModifyExtendedOperation.java b/opends/src/server/org/opends/server/extensions/PasswordModifyExtendedOperation.java
index 5eafa77..000f9b9 100644
--- a/opends/src/server/org/opends/server/extensions/PasswordModifyExtendedOperation.java
+++ b/opends/src/server/org/opends/server/extensions/PasswordModifyExtendedOperation.java
@@ -74,6 +74,7 @@
 import org.opends.server.types.LockManager;
 import org.opends.server.types.Modification;
 import org.opends.server.types.ModificationType;
+import org.opends.server.types.Privilege;
 import org.opends.server.types.ResultCode;
 
 import static org.opends.server.config.ConfigConstants.*;
@@ -494,10 +495,34 @@
 
 
       // Determine whether the user is changing his own password or if it's an
-      // administrative reset.
-      boolean selfChange = ((userIdentity == null) ||
-                            (requestorEntry == null) ||
-                            userDN.equals(requestorEntry.getDN()));
+      // administrative reset.  If it's an administrative reset, then the
+      // requester must have the PASSWORD_RESET privilege.
+      boolean selfChange;
+      if (userIdentity == null)
+      {
+        selfChange = true;
+      }
+      else if (requestorEntry == null)
+      {
+        selfChange = (oldPassword != null);
+      }
+      else
+      {
+        selfChange = userDN.equals(requestorEntry.getDN());
+      }
+
+      if (! selfChange)
+      {
+        ClientConnection clientConnection = operation.getClientConnection();
+        if (! clientConnection.hasPrivilege(Privilege.PASSWORD_RESET,
+                                            operation))
+        {
+          int msgID = MSGID_EXTOP_PASSMOD_INSUFFICIENT_PRIVILEGES;
+          operation.appendErrorMessage(getMessage(msgID));
+          operation.setResultCode(ResultCode.INSUFFICIENT_ACCESS_RIGHTS);
+          return;
+        }
+      }
 
 
       // See if the account is locked.  If so, then reject the request.

--
Gitblit v1.10.0