From 36b59d045aa7ef553d0704a637d00e46e4050254 Mon Sep 17 00:00:00 2001
From: Jean-Noel Rouvignac <jean-noel.rouvignac@forgerock.com>
Date: Fri, 26 Jul 2013 15:24:42 +0000
Subject: [PATCH] A global ACI allow querying data. Added the following to restrict anonymous user's access to "dc=example,dc=com"

---
 opends/src/server/org/opends/server/authorization/dseecompat/AciHandler.java |    6 ++++++
 1 files changed, 6 insertions(+), 0 deletions(-)

diff --git a/opends/src/server/org/opends/server/authorization/dseecompat/AciHandler.java b/opends/src/server/org/opends/server/authorization/dseecompat/AciHandler.java
index ed76f29..bb900bc 100644
--- a/opends/src/server/org/opends/server/authorization/dseecompat/AciHandler.java
+++ b/opends/src/server/org/opends/server/authorization/dseecompat/AciHandler.java
@@ -355,6 +355,11 @@
   {
     AciContainer container =
         new AciLDAPOperationContainer(operation, ACI_COMPARE);
+    if (!isAllowed(container, operation))
+    {
+      // first check more global ACIs without targetattrs defined on them
+      return false;
+    }
 
     String baseName;
     String rawAttributeType = operation.getRawAttributeType();
@@ -375,6 +380,7 @@
             .getAssertionValue());
     container.setCurrentAttributeType(attributeType);
     container.setCurrentAttributeValue(attributeValue);
+    // then check more precise ACIs with targetattrs defined on them
     return isAllowed(container, operation);
   }
 

--
Gitblit v1.10.0