directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ersi...@apache.org
Subject svn commit: r553212 - in /directory/apacheds/trunk: core-unit/src/test/java/org/apache/directory/server/core/authz/ core/src/main/java/org/apache/directory/server/core/authz/ core/src/main/java/org/apache/directory/server/core/authz/support/ core/src/t...
Date Wed, 04 Jul 2007 14:03:54 GMT
Author: ersiner
Date: Wed Jul  4 07:03:52 2007
New Revision: 553212

URL: http://svn.apache.org/viewvc?view=rev&rev=553212
Log:
Fix for DIRSERVER-989 and minor cleanup.

Modified:
    directory/apacheds/trunk/core-unit/src/test/java/org/apache/directory/server/core/authz/ModifyAuthorizationITest.java
    directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/AuthorizationService.java
    directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/ACDFEngine.java
    directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/RelatedProtectedItemFilter.java
    directory/apacheds/trunk/core/src/test/java/org/apache/directory/server/core/authz/support/RelatedProtectedItemFilterTest.java

Modified: directory/apacheds/trunk/core-unit/src/test/java/org/apache/directory/server/core/authz/ModifyAuthorizationITest.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/core-unit/src/test/java/org/apache/directory/server/core/authz/ModifyAuthorizationITest.java?view=diff&rev=553212&r1=553211&r2=553212
==============================================================================
--- directory/apacheds/trunk/core-unit/src/test/java/org/apache/directory/server/core/authz/ModifyAuthorizationITest.java
(original)
+++ directory/apacheds/trunk/core-unit/src/test/java/org/apache/directory/server/core/authz/ModifyAuthorizationITest.java
Wed Jul  4 07:03:52 2007
@@ -84,19 +84,25 @@
 
             // modify the entry as the user
             DirContext userContext = getContextAs( userName, password );
+            int k = 2;
+            k++;
             userContext.modifyAttributes( entryRdn, mods );
 
             return true;
         }
         catch ( LdapNoPermissionException e )
         {
-            return false;
+        }
+        catch ( Exception e2 )
+        {
         }
         finally
         {
             // let's clean up
             adminContext.destroySubcontext( entryRdn );
         }
+        
+        return false;
     }
 
 
@@ -297,7 +303,7 @@
             + "precedence 14, " + "authenticationLevel none, " + "itemOrUserFirst userFirst:
{ "
             + "userClasses { userGroup { \"cn=TestGroup,ou=groups,ou=system\" } }, " + "userPermissions
{ "
             + "{ protectedItems {entry}, grantsAndDenials { grantModify, grantBrowse } },
"
-            + "{ protectedItems {allAttributeValues {registeredAddress}}, grantsAndDenials
{ grantAdd } } " + "} } }" );
+            + "{ protectedItems {attributeType {registeredAddress}, allAttributeValues {registeredAddress}},
grantsAndDenials { grantAdd } } " + "} } }" );
 
         // see if we can now add that test entry which we could not before
         // add op should still fail since billd is not in the admin group
@@ -348,7 +354,7 @@
             + "precedence 14, " + "authenticationLevel none, " + "itemOrUserFirst userFirst:
{ "
             + "userClasses { userGroup { \"cn=TestGroup,ou=groups,ou=system\" } }, " + "userPermissions
{ "
             + "{ protectedItems {entry}, grantsAndDenials { grantModify, grantBrowse } },
"
-            + "{ protectedItems {allAttributeValues {telephoneNumber}}, grantsAndDenials
{ grantAdd, grantRemove } } "
+            + "{ protectedItems {attributeType {registeredAddress}, allAttributeValues {telephoneNumber}},
grantsAndDenials { grantAdd, grantRemove } } "
             + "} } }" );
 
         // try a modify operation which should succeed with ACI and group membership change
@@ -374,7 +380,7 @@
             + "precedence 14, " + "authenticationLevel none, " + "itemOrUserFirst userFirst:
{ "
             + "userClasses { userGroup { \"cn=TestGroup,ou=groups,ou=system\" } }, " + "userPermissions
{ "
             + "{ protectedItems {entry}, grantsAndDenials { grantModify, grantBrowse } },
"
-            + "{ protectedItems {allAttributeValues {registeredAddress}}, grantsAndDenials
{ grantAdd } } " + "} } }" );
+            + "{ protectedItems {attributeType {registeredAddress}, allAttributeValues {registeredAddress}},
grantsAndDenials { grantAdd } } " + "} } }" );
 
         // try a modify operation which should succeed with ACI and group membership change
         assertTrue( checkCanModifyAs( "billyd", "billyd", "ou=testou", DirContext.ADD_ATTRIBUTE,
changes ) );
@@ -418,7 +424,7 @@
             + "precedence 14, " + "authenticationLevel none, " + "itemOrUserFirst userFirst:
{ "
             + "userClasses { userGroup { \"cn=TestGroup,ou=groups,ou=system\" } }, " + "userPermissions
{ "
             + "{ protectedItems {entry}, grantsAndDenials { grantModify, grantBrowse } },
"
-            + "{ protectedItems {allAttributeValues {telephoneNumber}}, grantsAndDenials
{ grantAdd, grantRemove } } "
+            + "{ protectedItems {attributeType {registeredAddress}, allAttributeValues {telephoneNumber}},
grantsAndDenials { grantAdd, grantRemove } } "
             + "} } }" );
 
         // try a modify operation which should succeed with ACI and group membership change

Modified: directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/AuthorizationService.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/AuthorizationService.java?view=diff&rev=553212&r1=553211&r2=553212
==============================================================================
--- directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/AuthorizationService.java
(original)
+++ directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/AuthorizationService.java
Wed Jul  4 07:03:52 2007
@@ -558,14 +558,34 @@
 
         for ( int ii = 0; ii < mods.length; ii++ )
         {
+            Attribute attr = mods[ii].getAttribute();
+            
             switch ( mods[ii].getModificationOp() )
             {
                 case ( DirContext.ADD_ATTRIBUTE  ):
                     perms = ADD_PERMS;
+                    // If the attribute is being created with an initial value ...
+                    if ( entry.get( attr.getID() ) == null )
+                    {
+                        // ... we also need to check if adding the attribute is permitted
+                        engine.checkPermission( proxy, userGroups, principalDn, principal.getAuthenticationLevel(),
name,
+                            attr.getID(), null, perms, tuples, entry );
+                    }
                     break;
                     
                 case ( DirContext.REMOVE_ATTRIBUTE  ):
                     perms = REMOVE_PERMS;
+                    Attribute entryAttr = entry.get( attr.getID() );
+                    if (  entryAttr != null )
+                    {
+                        // If there is only one value remaining in the attribute ...
+                        if ( entryAttr.get( 1 ) == null )
+                        {
+                            // ... we also need to check if removing the attribute at all
is permitted
+                            engine.checkPermission( proxy, userGroups, principalDn, principal.getAuthenticationLevel(),
name,
+                                attr.getID(), null, perms, tuples, entry );
+                        }
+                    }
                     break;
                     
                 case ( DirContext.REPLACE_ATTRIBUTE  ):
@@ -573,12 +593,10 @@
                     break;
             }
 
-            Attribute attr = mods[ii].getAttribute();
-            
             for ( int jj = 0; jj < attr.size(); jj++ )
             {
-                engine.checkPermission( proxy, userGroups, principalDn, principal.getAuthenticationLevel(),
name, attr
-                    .getID(), attr.get( jj ), perms, tuples, entry );
+                engine.checkPermission( proxy, userGroups, principalDn, principal.getAuthenticationLevel(),
name,
+                    attr.getID(), attr.get( jj ), perms, tuples, entry );
             }
         }
 

Modified: directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/ACDFEngine.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/ACDFEngine.java?view=diff&rev=553212&r1=553211&r2=553212
==============================================================================
--- directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/ACDFEngine.java
(original)
+++ directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/ACDFEngine.java
Wed Jul  4 07:03:52 2007
@@ -44,6 +44,7 @@
 import org.apache.directory.server.core.subtree.RefinementLeafEvaluator;
 import org.apache.directory.server.core.subtree.SubentryService;
 import org.apache.directory.server.core.subtree.SubtreeEvaluator;
+import org.apache.directory.server.core.trigger.TriggerService;
 import org.apache.directory.server.schema.registries.AttributeTypeRegistry;
 import org.apache.directory.server.schema.registries.OidRegistry;
 import org.apache.directory.shared.ldap.aci.ACITuple;
@@ -94,13 +95,16 @@
         SubtreeEvaluator subtreeEvaluator = new SubtreeEvaluator( oidRegistry, attrTypeRegistry
);
         RefinementEvaluator refinementEvaluator = new RefinementEvaluator( new RefinementLeafEvaluator(
oidRegistry ) );
 
-        filters = new ACITupleFilter[]
-            { new RelatedUserClassFilter( subtreeEvaluator ),
-                new RelatedProtectedItemFilter( refinementEvaluator, entryEvaluator, oidRegistry,
attrTypeRegistry ), 
-                new MaxValueCountFilter(),
-                new MaxImmSubFilter(), new RestrictedByFilter(), new MicroOperationFilter(),
-                new HighestPrecedenceFilter(), new MostSpecificUserClassFilter(),
-                new MostSpecificProtectedItemFilter(), };
+        filters = new ACITupleFilter[] {
+            new RelatedUserClassFilter( subtreeEvaluator ),
+            new RelatedProtectedItemFilter( refinementEvaluator, entryEvaluator, oidRegistry,
attrTypeRegistry ),
+            new MaxValueCountFilter(),
+            new MaxImmSubFilter(),
+            new RestrictedByFilter(),
+            new MicroOperationFilter(),
+            new HighestPrecedenceFilter(),
+            new MostSpecificUserClassFilter(),
+            new MostSpecificProtectedItemFilter() };
     }
 
 
@@ -144,6 +148,7 @@
         c.add( SubentryService.NAME );
         c.add( OperationalAttributeService.NAME );
         c.add( EventService.NAME );
+        c.add( TriggerService.NAME );
         USER_LOOKUP_BYPASS = Collections.unmodifiableCollection( c );
     }
 

Modified: directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/RelatedProtectedItemFilter.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/RelatedProtectedItemFilter.java?view=diff&rev=553212&r1=553211&r2=553212
==============================================================================
--- directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/RelatedProtectedItemFilter.java
(original)
+++ directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/RelatedProtectedItemFilter.java
Wed Jul  4 07:03:52 2007
@@ -131,7 +131,7 @@
             }
             else if ( item instanceof ProtectedItem.AllAttributeValues )
             {
-                if ( scope != OperationScope.ATTRIBUTE_TYPE && scope != OperationScope.ATTRIBUTE_TYPE_AND_VALUE
)
+                if ( scope != OperationScope.ATTRIBUTE_TYPE_AND_VALUE )
                 {
                     continue;
                 }

Modified: directory/apacheds/trunk/core/src/test/java/org/apache/directory/server/core/authz/support/RelatedProtectedItemFilterTest.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/core/src/test/java/org/apache/directory/server/core/authz/support/RelatedProtectedItemFilterTest.java?view=diff&rev=553212&r1=553211&r2=553212
==============================================================================
--- directory/apacheds/trunk/core/src/test/java/org/apache/directory/server/core/authz/support/RelatedProtectedItemFilterTest.java
(original)
+++ directory/apacheds/trunk/core/src/test/java/org/apache/directory/server/core/authz/support/RelatedProtectedItemFilterTest.java
Wed Jul  4 07:03:52 2007
@@ -171,10 +171,10 @@
 
         tuples = getTuples( new ProtectedItem.AllAttributeValues( attrTypes ) );
 
-        Assert.assertEquals( 1, filterA.filter( tuples, OperationScope.ATTRIBUTE_TYPE, null,
null, USER_NAME, null,
+        Assert.assertEquals( 1, filterA.filter( tuples, OperationScope.ATTRIBUTE_TYPE_AND_VALUE,
null, null, USER_NAME, null,
             null, null, "attrA", null, null, null ).size() );
 
-        Assert.assertEquals( 0, filterB.filter( tuples, OperationScope.ATTRIBUTE_TYPE, null,
null, USER_NAME, null,
+        Assert.assertEquals( 0, filterB.filter( tuples, OperationScope.ATTRIBUTE_TYPE_AND_VALUE,
null, null, USER_NAME, null,
             null, null, "attrB", null, null, null ).size() );
     }
 



Mime
View raw message