On Sat, Dec 24, 2011 at 1:27 PM, Emmanuel Lecharny <elecharny@gmail.com> wrote:
Hi,

we have a strange test that checks if a normal user (not the admin) can read under ou=system. This test is just totally wrong, as it uses the admin session, so I tried to fix it using a plain user. Sadly, oing so, I can read almost everyting under ou=system.

So I question the logic :
- can a normal user read something under ou=system (except his own record)
- should we instead forbid this user to read the 'uid=admin,ou=system', 'ou=configuration,ou=system', 'ou=groups,ou=system' and 'ou=users,ou=system' entries (and their children) ?
- or should we just allow this user to read everything except if the ACI subsystem is set ?

IMO, I'd rather go for the third option.


Sounds good. 
 
Note : the test is org.apache.directory.server.core.authz.AuthorizationServiceAsNonAdminIT.testNoSearchByNonAdmin :
   /**
    * Makes sure non-admin cannot search under ou=system.
    *
    * @throws Exception if there are problems
    */
   @Test
   public void testNoSearchByNonAdmin() throws Exception
   {
       LdifEntry akarasulu = getUserAddLdif();

       getService().getAdminSession().add(
           new DefaultEntry( getService().getSchemaManager(), akarasulu.getEntry() ) );

       try
       {
           ExprNode filter = FilterParser.parse( getService().getSchemaManager(), "(objectClass=*)" );
           getService().getAdminSession().search( new Dn( "ou=system" ), SearchScope.SUBTREE, filter , AliasDerefMode.DEREF_ALWAYS, null );
       }
       catch ( LdapNoPermissionException e )
       {
           assertNotNull( e );
       }
   }

It passes with flying colors, just because we don't check anything...


Really odd we're searching as admin here because of the admin session. I remember writing these tests a long long time ago and they should be searching with the newly created non-admin user. I guess the tests were altered over time to do just as you say: nothing at all.

--
Best Regards,
-- Alex