Please fix as you see fit. You're the most knowledgeable of us all on this topic.
I understand what you're stating and it is a subtle issue that was not easy for many to understand. Hope the fix is a quick and easy one.
Well, I think there is a solution without introducing a new Operation
Scope. I'll commit it soon.
On 7/4/07, Ersin Er <email@example.com> wrote:
> Let me extend the topic a little bit,
> The problem (that I think is) I faced is that when a user has only
> grantAdd permission for allAttributeValues he/she should not be able
> to add a new instance of the attribute to the entry. It only allows
> adding a new value to an existing attribute. However it's not the case
> for ApacheDS now. It allows adding new attributes although having only
> grantAdd for allAttributeValues. This is also demonstrated in the
> current unit tests:
> If I am right, these tests (as well as some others possibly) will need
> to change too.
> On 7/4/07, Ersin Er <firstname.lastname@example.org> wrote:
> > Hi,
> > As I am browsing the Authorization code and doing some tests, I saw
> > that we do not have a ATTRIBUTE_VALUE scope in the following class:
> > http://svn.apache.org/viewvc/directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/OperationScope.java?view=markup
> > IMO, we need such an operation scope because in a case where you have
> > allAttributeValues protectedItem with grantAdd permission you should
> > be only allowed to add new values to an existing attribute. So this
> > kind of operation only deals with values, not attribute type or not
> > both.
> > If I am right, not handling this operation scope causes several
> > problems in the Authorization system which is the real problem. I
> > still need to write some tests and figure out which part of the code
> > really deals with handling those scopes.
> > I just wanted to inform you and get you ideas on the topic if any.
> > Thanks.
> > --
> > Ersin
> Ersin Er
> R.A. and Ph.D Student at the Dept. of Computer Eng. in Hacettepe University
> Committer and PMC Member of The Apache Directory Project
R.A. and Ph.D Student at the Dept. of Computer Eng. in Hacettepe University
Committer and PMC Member of The Apache Directory Project