From dc64fc2e646c22133f977cfe0417b18c7a90e8c4 Mon Sep 17 00:00:00 2001
From: dugan <dugan@localhost>
Date: Thu, 18 Oct 2007 02:01:16 +0000
Subject: [PATCH] Fix regression where the error code returned for improperly formatted ACIs was 50, instead of the correct value 21. Issue 2458.
---
opendj-sdk/opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendModifyOperation.java | 250 ++++++++++++++++++++++++++++++-------------------
1 files changed, 152 insertions(+), 98 deletions(-)
diff --git a/opendj-sdk/opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendModifyOperation.java b/opendj-sdk/opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendModifyOperation.java
index 2b2d2df..58a7303 100644
--- a/opendj-sdk/opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendModifyOperation.java
+++ b/opendj-sdk/opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendModifyOperation.java
@@ -466,6 +466,22 @@
}
+ try
+ {
+ handleSchemaProcessing();
+ }
+ catch (DirectoryException de)
+ {
+ if (debugEnabled())
+ {
+ TRACER.debugCaught(DebugLogLevel.ERROR, de);
+ }
+
+ setResponseData(de);
+ break modifyProcessing;
+ }
+
+
// Check to see if the client has permission to perform the modify.
// The access control check is not made any earlier because the handler
// needs access to the modified entry.
@@ -489,7 +505,7 @@
try
{
- handleInitialPasswordPolicyAndSchemaProcessing();
+ handleInitialPasswordPolicyProcessing();
wasLocked = false;
if (passwordChanged)
@@ -796,7 +812,6 @@
/**
* Gets the entry to modify.
*
- * @return The entry retrieved from the backend.
*
* @throws DirectoryException If a problem occurs while trying to get the
* entry, or if the entry doesn't exist.
@@ -1093,16 +1108,126 @@
}
}
-
-
- /**
- * Handles the initial set of password policy and schema processing for this
- * modify operation.
+ /**
+ * Handles schema processing for non-password modifications.
*
* @throws DirectoryException If a problem is encountered that should cause
* the modify operation to fail.
*/
- private void handleInitialPasswordPolicyAndSchemaProcessing()
+ private void handleSchemaProcessing() throws DirectoryException
+ {
+
+ for (Modification m : modifications)
+ {
+ Attribute a = m.getAttribute();
+ AttributeType t = a.getAttributeType();
+
+
+ // If the attribute type is marked "NO-USER-MODIFICATION" then fail unless
+ // this is an internal operation or is related to synchronization in some
+ // way.
+ if (t.isNoUserModification())
+ {
+ if (! (isInternalOperation() || isSynchronizationOperation() ||
+ m.isInternal()))
+ {
+ throw new DirectoryException(ResultCode.UNWILLING_TO_PERFORM,
+ ERR_MODIFY_ATTR_IS_NO_USER_MOD.get(
+ String.valueOf(entryDN), a.getName()));
+ }
+ }
+
+ // If the attribute type is marked "OBSOLETE" and the modification is
+ // setting new values, then fail unless this is an internal operation or
+ // is related to synchronization in some way.
+ if (t.isObsolete())
+ {
+ if (a.hasValue() &&
+ (m.getModificationType() != ModificationType.DELETE))
+ {
+ if (! (isInternalOperation() || isSynchronizationOperation() ||
+ m.isInternal()))
+ {
+ throw new DirectoryException(ResultCode.UNWILLING_TO_PERFORM,
+ ERR_MODIFY_ATTR_IS_OBSOLETE.get(
+ String.valueOf(entryDN), a.getName()));
+ }
+ }
+ }
+
+
+ // See if the attribute is one which controls the privileges available for
+ // a user. If it is, then the client must have the PRIVILEGE_CHANGE
+ // privilege.
+ if (t.hasName(OP_ATTR_PRIVILEGE_NAME))
+ {
+ if (! clientConnection.hasPrivilege(Privilege.PRIVILEGE_CHANGE, this))
+ {
+ throw new DirectoryException(ResultCode.INSUFFICIENT_ACCESS_RIGHTS,
+ ERR_MODIFY_CHANGE_PRIVILEGE_INSUFFICIENT_PRIVILEGES.get());
+ }
+ }
+
+ // If the modification is not updating the password attribute,
+ // then check if the isEnabled flag should be set and then perform any
+ // schema processing.
+ boolean isPassword =
+ t.equals(pwPolicyState.getPolicy().getPasswordAttribute());
+ if (!isPassword )
+ {
+ // See if it's an attribute used to maintain the account
+ // enabled/disabled state.
+ AttributeType disabledAttr =
+ DirectoryServer.getAttributeType(OP_ATTR_ACCOUNT_DISABLED, true);
+ if (t.equals(disabledAttr))
+ {
+ enabledStateChanged = true;
+ for (AttributeValue v : a.getValues())
+ {
+ try
+ {
+ isEnabled =
+ (! BooleanSyntax.decodeBooleanValue(v.getNormalizedValue()));
+ }
+ catch (DirectoryException de)
+ {
+ throw new DirectoryException(ResultCode.INVALID_ATTRIBUTE_SYNTAX,
+ ERR_MODIFY_INVALID_DISABLED_VALUE.get(
+ OP_ATTR_ACCOUNT_DISABLED,
+ String.valueOf(de.getMessageObject())), de);
+ }
+ }
+ }
+
+ switch (m.getModificationType())
+ {
+ case ADD:
+ processInitialAddSchema(a);
+ break;
+
+ case DELETE:
+ processInitialDeleteSchema(a);
+ break;
+
+ case REPLACE:
+ processInitialReplaceSchema(a);
+ break;
+
+ case INCREMENT:
+ processInitialIncrementSchema(a);
+ break;
+ }
+ }
+ }
+ }
+
+ /**
+ * Handles the initial set of password policy for this modify operation.
+ *
+ * @throws DirectoryException If a problem is encountered that should cause
+ * the modify operation to fail.
+ */
+ private void handleInitialPasswordPolicyProcessing()
throws DirectoryException
{
// Declare variables used for password policy state processing.
@@ -1110,7 +1235,7 @@
isEnabled = true;
enabledStateChanged = false;
if (currentEntry.hasAttribute(
- pwPolicyState.getPolicy().getPasswordAttribute()))
+ pwPolicyState.getPolicy().getPasswordAttribute()))
{
// It may actually have more than one, but we can't tell the difference if
// the values are encoded, and its enough for our purposes just to know
@@ -1131,8 +1256,10 @@
{
for (Modification m : modifications)
{
- if (m.getAttribute().getAttributeType().equals(
- pwPolicyState.getPolicy().getPasswordAttribute()))
+ AttributeType t = m.getAttribute().getAttributeType();
+ boolean isPassword =
+ t.equals(pwPolicyState.getPolicy().getPasswordAttribute());
+ if (isPassword)
{
passwordChanged = true;
if (! selfChange)
@@ -1141,8 +1268,8 @@
{
pwpErrorType = PasswordPolicyErrorType.PASSWORD_MOD_NOT_ALLOWED;
throw new DirectoryException(
- ResultCode.INSUFFICIENT_ACCESS_RIGHTS,
- ERR_MODIFY_PWRESET_INSUFFICIENT_PRIVILEGES.get());
+ ResultCode.INSUFFICIENT_ACCESS_RIGHTS,
+ ERR_MODIFY_PWRESET_INSUFFICIENT_PRIVILEGES.get());
}
}
@@ -1158,57 +1285,11 @@
AttributeType t = a.getAttributeType();
- // If the attribute type is marked "NO-USER-MODIFICATION" then fail unless
- // this is an internal operation or is related to synchronization in some
- // way.
- if (t.isNoUserModification())
- {
- if (! (isInternalOperation() || isSynchronizationOperation() ||
- m.isInternal()))
- {
- throw new DirectoryException(ResultCode.UNWILLING_TO_PERFORM,
- ERR_MODIFY_ATTR_IS_NO_USER_MOD.get(
- String.valueOf(entryDN), a.getName()));
- }
- }
-
- // If the attribute type is marked "OBSOLETE" and the modification is
- // setting new values, then fail unless this is an internal operation or
- // is related to synchronization in some way.
- if (t.isObsolete())
- {
- if (a.hasValue() &&
- (m.getModificationType() != ModificationType.DELETE))
- {
- if (! (isInternalOperation() || isSynchronizationOperation() ||
- m.isInternal()))
- {
- throw new DirectoryException(ResultCode.UNWILLING_TO_PERFORM,
- ERR_MODIFY_ATTR_IS_OBSOLETE.get(
- String.valueOf(entryDN), a.getName()));
- }
- }
- }
-
-
- // See if the attribute is one which controls the privileges available for
- // a user. If it is, then the client must have the PRIVILEGE_CHANGE
- // privilege.
- if (t.hasName(OP_ATTR_PRIVILEGE_NAME))
- {
- if (! clientConnection.hasPrivilege(Privilege.PRIVILEGE_CHANGE, this))
- {
- throw new DirectoryException(ResultCode.INSUFFICIENT_ACCESS_RIGHTS,
- ERR_MODIFY_CHANGE_PRIVILEGE_INSUFFICIENT_PRIVILEGES.get());
- }
- }
-
-
// If the modification is updating the password attribute, then perform
// any necessary password policy processing. This processing should be
// skipped for synchronization operations.
boolean isPassword =
- t.equals(pwPolicyState.getPolicy().getPasswordAttribute());
+ t.equals(pwPolicyState.getPolicy().getPasswordAttribute());
if (isPassword && (!(isSynchronizationOperation())))
{
// If the attribute contains any options, then reject it. Passwords
@@ -1218,28 +1299,28 @@
if (a.hasOptions())
{
throw new DirectoryException(ResultCode.UNWILLING_TO_PERFORM,
- ERR_MODIFY_PASSWORDS_CANNOT_HAVE_OPTIONS.get());
+ ERR_MODIFY_PASSWORDS_CANNOT_HAVE_OPTIONS.get());
}
// If it's a self change, then see if that's allowed.
if (selfChange &&
- (! pwPolicyState.getPolicy().allowUserPasswordChanges()))
+ (! pwPolicyState.getPolicy().allowUserPasswordChanges()))
{
pwpErrorType = PasswordPolicyErrorType.PASSWORD_MOD_NOT_ALLOWED;
throw new DirectoryException(ResultCode.UNWILLING_TO_PERFORM,
- ERR_MODIFY_NO_USER_PW_CHANGES.get());
+ ERR_MODIFY_NO_USER_PW_CHANGES.get());
}
// If we require secure password changes, then makes sure it's a
// secure communication channel.
if (pwPolicyState.getPolicy().requireSecurePasswordChanges() &&
- (! clientConnection.isSecure()))
+ (! clientConnection.isSecure()))
{
pwpErrorType = PasswordPolicyErrorType.PASSWORD_MOD_NOT_ALLOWED;
throw new DirectoryException(ResultCode.UNWILLING_TO_PERFORM,
- ERR_MODIFY_REQUIRE_SECURE_CHANGES.get());
+ ERR_MODIFY_REQUIRE_SECURE_CHANGES.get());
}
@@ -1249,7 +1330,7 @@
{
pwpErrorType = PasswordPolicyErrorType.PASSWORD_TOO_YOUNG;
throw new DirectoryException(ResultCode.UNWILLING_TO_PERFORM,
- ERR_MODIFY_WITHIN_MINIMUM_AGE.get());
+ ERR_MODIFY_WITHIN_MINIMUM_AGE.get());
}
}
@@ -1260,7 +1341,7 @@
boolean isAdd = (m.getModificationType() == ModificationType.ADD);
LinkedHashSet<AttributeValue> pwValues = a.getValues();
LinkedHashSet<AttributeValue> encodedValues =
- new LinkedHashSet<AttributeValue>();
+ new LinkedHashSet<AttributeValue>();
switch (m.getModificationType())
{
case ADD:
@@ -1274,38 +1355,10 @@
default:
throw new DirectoryException(ResultCode.UNWILLING_TO_PERFORM,
- ERR_MODIFY_INVALID_MOD_TYPE_FOR_PASSWORD.get(
- String.valueOf(m.getModificationType()),
- a.getName()));
+ ERR_MODIFY_INVALID_MOD_TYPE_FOR_PASSWORD.get(
+ String.valueOf(m.getModificationType()),
+ a.getName()));
}
- }
- else
- {
- // See if it's an attribute used to maintain the account
- // enabled/disabled state.
- AttributeType disabledAttr =
- DirectoryServer.getAttributeType(OP_ATTR_ACCOUNT_DISABLED, true);
- if (t.equals(disabledAttr))
- {
- enabledStateChanged = true;
- for (AttributeValue v : a.getValues())
- {
- try
- {
- isEnabled =
- (! BooleanSyntax.decodeBooleanValue(v.getNormalizedValue()));
- }
- catch (DirectoryException de)
- {
- throw new DirectoryException(ResultCode.INVALID_ATTRIBUTE_SYNTAX,
- ERR_MODIFY_INVALID_DISABLED_VALUE.get(
- OP_ATTR_ACCOUNT_DISABLED,
- String.valueOf(de.getMessageObject())), de);
- }
- }
- }
- }
-
switch (m.getModificationType())
{
@@ -1325,6 +1378,7 @@
processInitialIncrementSchema(a);
break;
}
+ }
}
}
--
Gitblit v1.10.0