From 586d73af0a4a90166dcbf1e94a728cdf32cb46ee Mon Sep 17 00:00:00 2001
From: dugan <dugan@localhost>
Date: Fri, 27 Jul 2007 22:44:09 +0000
Subject: [PATCH] Fix targetattr not equal operator giving access to an operational  attribute based on a user attribute not matching, or access given to a user attribute based on an operational attribute not matching. For example:

---
 opendj-sdk/opends/src/server/org/opends/server/authorization/dseecompat/TargetAttr.java |   42 +++++++++++++++++++++++++++---------------
 1 files changed, 27 insertions(+), 15 deletions(-)

diff --git a/opendj-sdk/opends/src/server/org/opends/server/authorization/dseecompat/TargetAttr.java b/opendj-sdk/opends/src/server/org/opends/server/authorization/dseecompat/TargetAttr.java
index 9ea4fa9..81f2634 100644
--- a/opendj-sdk/opends/src/server/org/opends/server/authorization/dseecompat/TargetAttr.java
+++ b/opendj-sdk/opends/src/server/org/opends/server/authorization/dseecompat/TargetAttr.java
@@ -117,6 +117,7 @@
         }
     }
 
+
     /**
      * Converts each element of an array of attribute strings
      * to attribute types and adds them to either the user attributes HashSet or
@@ -256,29 +257,40 @@
      * First check is to see if the attribute type is operational. If so then
      * a match is true if the allOpAttributes boolean is true or if the
      * attribute type is found in the operational attributes HashSet.
+     * Both results can be negated if the expression operator is NOT_EQUALITY).
      *
      * Second check is similar to above, except the user attributes boolean
-     * and HashSet is examined. Both results can be negated if the expression
-     * operator is NOT_EQUALITT).
+     * and HashSet is examined.
+     *
      *
      * @param a The attribute type to evaluate.
      * @param targetAttr The targetAttr to apply to the attribute type.
      * @return True if the attribute type is applicable to the targetAttr.
      */
-    private static
-    boolean evalAttrType(AttributeType a, TargetAttr targetAttr) {
+      private static
+      boolean evalAttrType(AttributeType a, TargetAttr targetAttr) {
         boolean ret=false;
         if(a.isOperational()) {
-            if(targetAttr.isAllOpAttributes() ||
-                    targetAttr.opAttributes.contains(a))
-                ret=true;
+          if(targetAttr.isAllOpAttributes() ||
+                  targetAttr.opAttributes.contains(a))
+            ret=true;
+          if(targetAttr.isAllOpAttributes() ||
+             !targetAttr.opAttributes.isEmpty()) {
+            if(targetAttr.getOperator().
+                    equals(EnumTargetOperator.NOT_EQUALITY))
+              ret=!ret;
+          }
         } else {
-            if(targetAttr.isAllUserAttributes() ||
-                    targetAttr.attributes.contains(a))
-                ret=true;
+          if(targetAttr.isAllUserAttributes() ||
+                  targetAttr.attributes.contains(a))
+            ret=true;
+          if(targetAttr.isAllUserAttributes() ||
+                  !targetAttr.attributes.isEmpty()) {
+            if(targetAttr.getOperator().
+                    equals(EnumTargetOperator.NOT_EQUALITY))
+              ret=!ret;
+          }
         }
-        if(targetAttr.getOperator().equals(EnumTargetOperator.NOT_EQUALITY))
-            ret = !ret;
-        return ret;
-    }
-}
+      return ret;
+      }
+  }

--
Gitblit v1.10.0