From 5ab71727e25999e8bafe2f299ea4ac05bf4290b6 Mon Sep 17 00:00:00 2001
From: matthew_swift <matthew_swift@localhost>
Date: Mon, 08 Jun 2009 16:53:14 +0000
Subject: [PATCH] Fix issue 4042: LDAP assertion control access control evaluation results in protocol error
---
opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendAddOperation.java | 50 +++++++++++++++++++++++++++++++++-----------------
1 files changed, 33 insertions(+), 17 deletions(-)
diff --git a/opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendAddOperation.java b/opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendAddOperation.java
index 118297f..a10e64b 100644
--- a/opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendAddOperation.java
+++ b/opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendAddOperation.java
@@ -1465,30 +1465,46 @@
if (oid.equals(OID_LDAP_ASSERTION))
{
// RFC 4528 mandates support for Add operation basically
- // suggesting an asertion on self. As daft as it may be
+ // suggesting an assertion on self. As daft as it may be
// we gonna have to support this for RFC compliance.
LDAPAssertionRequestControl assertControl =
getRequestControl(LDAPAssertionRequestControl.DECODER);
+ SearchFilter filter;
try
{
- SearchFilter filter = assertControl.getSearchFilter();
-
- // Check if the current user has permission to make
- // this determination.
- if (!AccessControlConfigManager.getInstance().
- getAccessControlHandler().isAllowed(this, entry, filter))
+ filter = assertControl.getSearchFilter();
+ }
+ catch (DirectoryException de)
+ {
+ if (debugEnabled())
{
- throw new DirectoryException(
- ResultCode.INSUFFICIENT_ACCESS_RIGHTS,
- ERR_CONTROL_INSUFFICIENT_ACCESS_RIGHTS.get(oid));
+ TRACER.debugCaught(DebugLogLevel.ERROR, de);
}
- if (! filter.matchesEntry(entry))
+ throw new DirectoryException(de.getResultCode(),
+ ERR_ADD_CANNOT_PROCESS_ASSERTION_FILTER.get(
+ String.valueOf(entryDN),
+ de.getMessageObject()));
+ }
+
+ // Check if the current user has permission to make
+ // this determination.
+ if (!AccessControlConfigManager.getInstance().
+ getAccessControlHandler().isAllowed(this, entry, filter))
+ {
+ throw new DirectoryException(
+ ResultCode.INSUFFICIENT_ACCESS_RIGHTS,
+ ERR_CONTROL_INSUFFICIENT_ACCESS_RIGHTS.get(oid));
+ }
+
+ try
+ {
+ if (!filter.matchesEntry(entry))
{
throw new DirectoryException(ResultCode.ASSERTION_FAILED,
- ERR_ADD_ASSERTION_FAILED.get(
- String.valueOf(entryDN)));
+ ERR_ADD_ASSERTION_FAILED.get(String
+ .valueOf(entryDN)));
}
}
catch (DirectoryException de)
@@ -1503,10 +1519,10 @@
TRACER.debugCaught(DebugLogLevel.ERROR, de);
}
- throw new DirectoryException(ResultCode.PROTOCOL_ERROR,
- ERR_ADD_CANNOT_PROCESS_ASSERTION_FILTER.get(
- String.valueOf(entryDN),
- de.getMessageObject()));
+ throw new DirectoryException(de.getResultCode(),
+ ERR_ADD_CANNOT_PROCESS_ASSERTION_FILTER.get(
+ String.valueOf(entryDN),
+ de.getMessageObject()));
}
}
else if (oid.equals(OID_LDAP_NOOP_OPENLDAP_ASSIGNED))
--
Gitblit v1.10.0