directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alex Karasulu" <akaras...@apache.org>
Subject Re: [ApacheDS][ACI] ATTRIBUTE_VALUE Operation Scope
Date Fri, 06 Jul 2007 12:01:43 GMT
Hi Ersin,

Please fix as you see fit. You're the most knowledgeable of us all on this
topic.

I understand what you're stating and it is a subtle issue that was not easy
for many to understand.  Hope the fix is a quick and easy one.

Alex


On 7/4/07, Ersin Er <ersin.er@gmail.com> wrote:
>
> Well, I think there is a solution without introducing a new Operation
> Scope. I'll commit it soon.
>
> On 7/4/07, Ersin Er <ersin.er@gmail.com> wrote:
> > Let me extend the topic a little bit,
> >
> > The problem (that I think is) I faced is that when a user has only
> > grantAdd permission for allAttributeValues he/she should not be able
> > to add a new instance of the attribute to the entry. It only allows
> > adding a new value to an existing attribute. However it's not the case
> > for ApacheDS now. It allows adding new attributes although having only
> > grantAdd for allAttributeValues. This is also demonstrated in the
> > current unit tests:
> >
> >
> http://svn.apache.org/viewvc/directory/apacheds/trunk/core-unit/src/test/java/org/apache/directory/server/core/authz/ModifyAuthorizationITest.java?view=markup
> >
> > If I am right, these tests (as well as some others possibly) will need
> > to change too.
> >
> > On 7/4/07, Ersin Er <ersin.er@gmail.com> wrote:
> > > Hi,
> > >
> > > As I am browsing the Authorization code and doing some tests, I saw
> > > that we do not have a ATTRIBUTE_VALUE scope in the following class:
> > >
> http://svn.apache.org/viewvc/directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/OperationScope.java?view=markup
> > >
> > > IMO, we need such an operation scope because in a case where you have
> > > allAttributeValues protectedItem with grantAdd permission you should
> > > be only allowed to add new values to an existing attribute. So this
> > > kind of operation only deals with values, not attribute type or not
> > > both.
> > >
> > > If I am right, not handling this operation scope causes several
> > > problems in the Authorization system which is the real problem. I
> > > still need to write some tests and figure out which part of the code
> > > really deals with handling those scopes.
> > >
> > > I just wanted to inform you and get you ideas on the topic if any.
> > >
> > > Thanks.
> > >
> > > --
> > > Ersin
> > >
> >
> >
> > --
> > Ersin Er
> >
> > R.A. and Ph.D Student at the Dept. of Computer Eng. in Hacettepe
> University
> > http://www.cs.hacettepe.edu.tr
> >
> > Committer and PMC Member of The Apache Directory Project
> > http://directory.apache.org
> >
>
>
> --
> Ersin Er
>
> R.A. and Ph.D Student at the Dept. of Computer Eng. in Hacettepe
> University
> http://www.cs.hacettepe.edu.tr
>
> Committer and PMC Member of The Apache Directory Project
> http://directory.apache.org
>

Mime
View raw message