directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ersin Er" <>
Subject Re: [ApacheDS][ACI] ATTRIBUTE_VALUE Operation Scope
Date Wed, 04 Jul 2007 11:07:26 GMT
Let me extend the topic a little bit,

The problem (that I think is) I faced is that when a user has only
grantAdd permission for allAttributeValues he/she should not be able
to add a new instance of the attribute to the entry. It only allows
adding a new value to an existing attribute. However it's not the case
for ApacheDS now. It allows adding new attributes although having only
grantAdd for allAttributeValues. This is also demonstrated in the
current unit tests:

If I am right, these tests (as well as some others possibly) will need
to change too.

On 7/4/07, Ersin Er <> wrote:
> Hi,
> As I am browsing the Authorization code and doing some tests, I saw
> that we do not have a ATTRIBUTE_VALUE scope in the following class:
> IMO, we need such an operation scope because in a case where you have
> allAttributeValues protectedItem with grantAdd permission you should
> be only allowed to add new values to an existing attribute. So this
> kind of operation only deals with values, not attribute type or not
> both.
> If I am right, not handling this operation scope causes several
> problems in the Authorization system which is the real problem. I
> still need to write some tests and figure out which part of the code
> really deals with handling those scopes.
> I just wanted to inform you and get you ideas on the topic if any.
> Thanks.
> --
> Ersin

Ersin Er

R.A. and Ph.D Student at the Dept. of Computer Eng. in Hacettepe University

Committer and PMC Member of The Apache Directory Project

View raw message