From fe64ffeb5c2b4703399da8827182495e912f80ac Mon Sep 17 00:00:00 2001
From: Manuel Gaupp <m.gaupp@scanplus.de>
Date: Fri, 17 May 2013 12:15:30 +0000
Subject: [PATCH] CR-1677 Fix issue OPENDJ-899: ModDN with the same value ignored by ACIs

---
 opendj-sdk/opends/tests/unit-tests-testng/src/server/org/opends/server/authorization/dseecompat/AciTests.java |   14 ++++++++++++++
 opendj-sdk/opends/src/server/org/opends/server/authorization/dseecompat/AciHandler.java                       |    7 ++++---
 2 files changed, 18 insertions(+), 3 deletions(-)

diff --git a/opendj-sdk/opends/src/server/org/opends/server/authorization/dseecompat/AciHandler.java b/opendj-sdk/opends/src/server/org/opends/server/authorization/dseecompat/AciHandler.java
index d0f6401..a317077 100644
--- a/opendj-sdk/opends/src/server/org/opends/server/authorization/dseecompat/AciHandler.java
+++ b/opendj-sdk/opends/src/server/org/opends/server/authorization/dseecompat/AciHandler.java
@@ -24,6 +24,7 @@
  *
  *      Copyright 2008-2010 Sun Microsystems, Inc.
  *      Portions Copyright 2011-2012 ForgeRock AS
+ *      Portions Copyright 2013 Manuel Gaupp
  */
 package org.opends.server.authorization.dseecompat;
 
@@ -479,9 +480,8 @@
           ret = false;
         }
       }
-      boolean rdnEquals = oldRDN.equals(newRDN);
-      // Perform the RDN access checks only if the RDNs are not equal.
-      if (ret && !rdnEquals)
+      // Perform the RDN access checks.
+      if (ret)
       {
         ret = aciCheckRDNs(operation, oldRDN, newRDN);
       }
@@ -495,6 +495,7 @@
                 operation.getOriginalEntry());
         // The RDNs are not equal, skip the proxy check since it was
         // already performed in the aciCheckRDNs call above.
+        boolean rdnEquals = oldRDN.equals(newRDN);
         if (!rdnEquals)
         {
           operationContainer.setSeenEntry(true);
diff --git a/opendj-sdk/opends/tests/unit-tests-testng/src/server/org/opends/server/authorization/dseecompat/AciTests.java b/opendj-sdk/opends/tests/unit-tests-testng/src/server/org/opends/server/authorization/dseecompat/AciTests.java
index 4eac620..ce3563f 100644
--- a/opendj-sdk/opends/tests/unit-tests-testng/src/server/org/opends/server/authorization/dseecompat/AciTests.java
+++ b/opendj-sdk/opends/tests/unit-tests-testng/src/server/org/opends/server/authorization/dseecompat/AciTests.java
@@ -24,6 +24,7 @@
  *
  *      Copyright 2008-2010 Sun Microsystems, Inc.
  *      Portions Copyright 2011-2012 ForgeRock AS
+ *      Portions Copyright 2013 Manuel Gaupp
  *
  */
 package org.opends.server.authorization.dseecompat;
@@ -37,6 +38,7 @@
 import static org.testng.Assert.assertEquals;
 import org.testng.Assert;
 import static org.opends.server.util.ServerConstants.EOL;
+import org.opends.server.protocols.ldap.LDAPResultCode;
 import org.opends.server.util.LDIFReader;
 import org.opends.server.util.LDIFWriter;
 import static org.opends.server.config.ConfigConstants.*;
@@ -1929,6 +1931,18 @@
        throw e;
    }
   }
+
+  /**
+   * Test anonymous modify DN with the same RDN.
+   */
+  @Test()
+  public void testAnonymousModDNSameRDN() throws Throwable {
+    addEntries(BASIC_LDIF__GROUP_SEARCH_TESTS, DIR_MGR_DN, DIR_MGR_PW);
+    String modRDNLdif = makeModDN(OU_LEAF_DN, "ou=leaf", "1", null);
+    LDIFModify(modRDNLdif, "", "", null,
+               LDAPResultCode.INSUFFICIENT_ACCESS_RIGHTS);
+    }
+
   /**
    * Test selfwrite right. Attempt to bind as level3 user and remove level1
    * user from a group, should fail.

--
Gitblit v1.10.0