On Sat, Dec 24, 2011 at 1:27 PM, Emmanuel Lecharny <firstname.lastname@example.org>
we have a strange test that checks if a normal user (not the admin) can read under ou=system. This test is just totally wrong, as it uses the admin session, so I tried to fix it using a plain user. Sadly, oing so, I can read almost everyting under ou=system.
So I question the logic :
- can a normal user read something under ou=system (except his own record)
- should we instead forbid this user to read the 'uid=admin,ou=system', 'ou=configuration,ou=system', 'ou=groups,ou=system' and 'ou=users,ou=system' entries (and their children) ?
- or should we just allow this user to read everything except if the ACI subsystem is set ?
IMO, I'd rather go for the third option.
Note : the test is org.apache.directory.server.core.authz.AuthorizationServiceAsNonAdminIT.testNoSearchByNonAdmin :
* Makes sure non-admin cannot search under ou=system.
* @throws Exception if there are problems
public void testNoSearchByNonAdmin() throws Exception
LdifEntry akarasulu = getUserAddLdif();
new DefaultEntry( getService().getSchemaManager(), akarasulu.getEntry() ) );
ExprNode filter = FilterParser.parse( getService().getSchemaManager(), "(objectClass=*)" );
getService().getAdminSession().search( new Dn( "ou=system" ), SearchScope.SUBTREE, filter , AliasDerefMode.DEREF_ALWAYS, null );
catch ( LdapNoPermissionException e )
assertNotNull( e );
It passes with flying colors, just because we don't check anything...
Really odd we're searching as admin here because of the admin session. I remember writing these tests a long long time ago and they should be searching with the newly created non-admin user. I guess the tests were altered over time to do just as you say: nothing at all.