directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ersin Er" <ersin...@gmail.com>
Subject Re: [ApacheDS][ACI] ATTRIBUTE_VALUE Operation Scope
Date Wed, 04 Jul 2007 13:18:59 GMT
Well, I think there is a solution without introducing a new Operation
Scope. I'll commit it soon.

On 7/4/07, Ersin Er <ersin.er@gmail.com> wrote:
> Let me extend the topic a little bit,
>
> The problem (that I think is) I faced is that when a user has only
> grantAdd permission for allAttributeValues he/she should not be able
> to add a new instance of the attribute to the entry. It only allows
> adding a new value to an existing attribute. However it's not the case
> for ApacheDS now. It allows adding new attributes although having only
> grantAdd for allAttributeValues. This is also demonstrated in the
> current unit tests:
>
> http://svn.apache.org/viewvc/directory/apacheds/trunk/core-unit/src/test/java/org/apache/directory/server/core/authz/ModifyAuthorizationITest.java?view=markup
>
> If I am right, these tests (as well as some others possibly) will need
> to change too.
>
> On 7/4/07, Ersin Er <ersin.er@gmail.com> wrote:
> > Hi,
> >
> > As I am browsing the Authorization code and doing some tests, I saw
> > that we do not have a ATTRIBUTE_VALUE scope in the following class:
> > http://svn.apache.org/viewvc/directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/OperationScope.java?view=markup
> >
> > IMO, we need such an operation scope because in a case where you have
> > allAttributeValues protectedItem with grantAdd permission you should
> > be only allowed to add new values to an existing attribute. So this
> > kind of operation only deals with values, not attribute type or not
> > both.
> >
> > If I am right, not handling this operation scope causes several
> > problems in the Authorization system which is the real problem. I
> > still need to write some tests and figure out which part of the code
> > really deals with handling those scopes.
> >
> > I just wanted to inform you and get you ideas on the topic if any.
> >
> > Thanks.
> >
> > --
> > Ersin
> >
>
>
> --
> Ersin Er
>
> R.A. and Ph.D Student at the Dept. of Computer Eng. in Hacettepe University
> http://www.cs.hacettepe.edu.tr
>
> Committer and PMC Member of The Apache Directory Project
> http://directory.apache.org
>


-- 
Ersin Er

R.A. and Ph.D Student at the Dept. of Computer Eng. in Hacettepe University
http://www.cs.hacettepe.edu.tr

Committer and PMC Member of The Apache Directory Project
http://directory.apache.org

Mime
View raw message