directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From trus...@apache.org
Subject svn commit: r326422 - in /directory/apacheds/trunk/core/src: main/java/org/apache/ldap/server/authz/support/RelatedProtectedItemFilter.java test/org/apache/ldap/server/authz/SearchAuthorizationTest.java
Date Wed, 19 Oct 2005 07:08:05 GMT
Author: trustin
Date: Wed Oct 19 00:07:55 2005
New Revision: 326422

URL: http://svn.apache.org/viewcvs?rev=326422&view=rev
Log:
Fixed: ProtectedItem.AttributeType should not affect the result of operations of OperationScope.ATTRIBUTE_TYPE_AND_VALUE.

Modified:
    directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/RelatedProtectedItemFilter.java
    directory/apacheds/trunk/core/src/test/org/apache/ldap/server/authz/SearchAuthorizationTest.java

Modified: directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/RelatedProtectedItemFilter.java
URL: http://svn.apache.org/viewcvs/directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/RelatedProtectedItemFilter.java?rev=326422&r1=326421&r2=326422&view=diff
==============================================================================
--- directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/RelatedProtectedItemFilter.java
(original)
+++ directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/RelatedProtectedItemFilter.java
Wed Oct 19 00:07:55 2005
@@ -135,8 +135,7 @@
             }
             else if( item instanceof ProtectedItem.AttributeType )
             {
-                if( scope != OperationScope.ATTRIBUTE_TYPE &&
-                    scope != OperationScope.ATTRIBUTE_TYPE_AND_VALUE )
+                if( scope != OperationScope.ATTRIBUTE_TYPE )
                 {
                     continue;
                 }

Modified: directory/apacheds/trunk/core/src/test/org/apache/ldap/server/authz/SearchAuthorizationTest.java
URL: http://svn.apache.org/viewcvs/directory/apacheds/trunk/core/src/test/org/apache/ldap/server/authz/SearchAuthorizationTest.java?rev=326422&r1=326421&r2=326422&view=diff
==============================================================================
--- directory/apacheds/trunk/core/src/test/org/apache/ldap/server/authz/SearchAuthorizationTest.java
(original)
+++ directory/apacheds/trunk/core/src/test/org/apache/ldap/server/authz/SearchAuthorizationTest.java
Wed Oct 19 00:07:55 2005
@@ -556,77 +556,77 @@
     }
 
 
-//    /**
-//     * Checks to make sure specific attribute values are not present when
-//     * read permission is denied.
-//     *
-//     * @throws javax.naming.NamingException if the test encounters an error
-//     */
-//    public void testHidingAttributeValues() throws NamingException
-//    {
-//        // create the non-admin user
-//        createUser( "billyd", "billyd" );
-//
-//        // try an add operation which should fail without any ACI
-//        assertFalse( checkCanSearchAs( "billyd", "billyd", 3 ) );
-//
-//        // now add a subentry that enables anyone to search an entry below ou=system
-//        // down two more rdns for DNs of a max size of 3.  It only grants access to
-//        // the ou and objectClass attributes however.
-//        createAccessControlSubentry( "excluseOUValue",
-//                "{ maximum 2 }",
-//                "{ " +
-//                "identificationTag \"searchAci\", " +
-//                "precedence 14, " +
-//                "authenticationLevel none, " +
-//                "itemOrUserFirst userFirst: { " +
-//                "userClasses { allUsers }, " +
-//                "userPermissions { { " +
-//                "protectedItems {entry, attributeType { ou }, allAttributeValues { objectClass
}, attributeValue { ou=0, ou=1, ou=2 } }, " +
-//                "grantsAndDenials { grantRead, grantReturnDN, grantBrowse } } } } }" );
-//
-//        // see if we can now add that search and find 4 entries
-//        assertTrue( checkCanSearchAs( "billyd", "billyd", 3 ) );
-//
-//        // check to make sure the ou attribute value "testEntry" is not present in results
-//        Iterator list = results.values().iterator();
-//        while ( list.hasNext() )
-//        {
-//            SearchResult result = ( SearchResult ) list.next();
-//            assertFalse( result.getAttributes().get( "ou" ).contains( "testEntry" ) );
-//        }
-//
-//        // delete the subentry to test more general rule's inclusion of all values
-//        deleteAccessControlSubentry( "excluseOUValue" );
-//
-//        // now add a subentry that enables anyone to search an entry below ou=system
-//        // down two more rdns for DNs of a max size of 3.  This time we should be able
-//        // to see the telephoneNumber attribute
-//        createAccessControlSubentry( "includeAllAttributeTypesAndValues",
-//                "{ maximum 2 }",
-//                "{ " +
-//                "identificationTag \"searchAci\", " +
-//                "precedence 14, " +
-//                "authenticationLevel none, " +
-//                "itemOrUserFirst userFirst: { " +
-//                "userClasses { allUsers }, " +
-//                "userPermissions { { " +
-//                "protectedItems {entry, allUserAttributeTypesAndValues }, " +
-//                "grantsAndDenials { grantRead, grantReturnDN, grantBrowse } } } } }" );
-//
-//        // again we should find four entries
-//        assertTrue( checkCanSearchAs( "billyd", "billyd", 3 ) );
-//
-//        // check now to make sure the telephoneNumber attribute is present in results
-//        list = results.values().iterator();
-//        while ( list.hasNext() )
-//        {
-//            SearchResult result = ( SearchResult ) list.next();
-//            assertTrue( result.getAttributes().get( "ou" ).contains( "testEntry" ) );
-//        }
-//    }
-//
-//
+    /**
+     * Checks to make sure specific attribute values are not present when
+     * read permission is denied.
+     *
+     * @throws javax.naming.NamingException if the test encounters an error
+     */
+    public void testHidingAttributeValues() throws NamingException
+    {
+        // create the non-admin user
+        createUser( "billyd", "billyd" );
+
+        // try an add operation which should fail without any ACI
+        assertFalse( checkCanSearchAs( "billyd", "billyd", 3 ) );
+
+        // now add a subentry that enables anyone to search an entry below ou=system
+        // down two more rdns for DNs of a max size of 3.  It only grants access to
+        // the ou and objectClass attributes however.
+        createAccessControlSubentry( "excluseOUValue",
+                "{ maximum 2 }",
+                "{ " +
+                "identificationTag \"searchAci\", " +
+                "precedence 14, " +
+                "authenticationLevel none, " +
+                "itemOrUserFirst userFirst: { " +
+                "userClasses { allUsers }, " +
+                "userPermissions { { " +
+                "protectedItems {entry, attributeType { ou }, allAttributeValues { objectClass
}, attributeValue { ou=0, ou=1, ou=2 } }, " +
+                "grantsAndDenials { grantRead, grantReturnDN, grantBrowse } } } } }" );
+
+        // see if we can now add that search and find 4 entries
+        assertTrue( checkCanSearchAs( "billyd", "billyd", 3 ) );
+
+        // check to make sure the ou attribute value "testEntry" is not present in results
+        Iterator list = results.values().iterator();
+        while ( list.hasNext() )
+        {
+            SearchResult result = ( SearchResult ) list.next();
+            assertFalse( result.getAttributes().get( "ou" ).contains( "testEntry" ) );
+        }
+
+        // delete the subentry to test more general rule's inclusion of all values
+        deleteAccessControlSubentry( "excluseOUValue" );
+
+        // now add a subentry that enables anyone to search an entry below ou=system
+        // down two more rdns for DNs of a max size of 3.  This time we should be able
+        // to see the telephoneNumber attribute
+        createAccessControlSubentry( "includeAllAttributeTypesAndValues",
+                "{ maximum 2 }",
+                "{ " +
+                "identificationTag \"searchAci\", " +
+                "precedence 14, " +
+                "authenticationLevel none, " +
+                "itemOrUserFirst userFirst: { " +
+                "userClasses { allUsers }, " +
+                "userPermissions { { " +
+                "protectedItems {entry, allUserAttributeTypesAndValues }, " +
+                "grantsAndDenials { grantRead, grantReturnDN, grantBrowse } } } } }" );
+
+        // again we should find four entries
+        assertTrue( checkCanSearchAs( "billyd", "billyd", 3 ) );
+
+        // check now to make sure the telephoneNumber attribute is present in results
+        list = results.values().iterator();
+        while ( list.hasNext() )
+        {
+            SearchResult result = ( SearchResult ) list.next();
+            assertTrue( result.getAttributes().get( "ou" ).contains( "testEntry" ) );
+        }
+    }
+
+
     /**
      * Adds a perscriptiveACI to allow search, tests for success, then adds entryACI
      * to deny read, browse and returnDN to a specific entry and checks to make sure



Mime
View raw message