You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@directory.apache.org by Trustin Lee <tr...@gmail.com> on 2005/10/25 12:43:21 UTC

Re: [apacheds]ACI support classes never consider "attributeValue" in ACIItem

2005/10/19, Alex Karasulu <ao...@bellsouth.net>:
>
> Trustin,
>
> Within the o.a.l.s.authz.support package nothing checks to see if the
> "attributeValue" field in a protectedItem is adhered too. For this
> reason permission checks are failing. Let me give you an example that I
> have in a testcase:
>
> I have the following ACIItem:
>
> {
> identificationTag "searchAci"
> precedence 14
> authenticationLevel none,
> itemOrUserFirst userFirst:
> {
> userClasses { allUsers },
> userPermissions
> {
> {
> protectedItems {entry, attributeType { ou }, allAttributeValues
> { objectClass }, attributeValue { ou=0, ou=1, ou=2 } }, grantsAndDenials
> { grantRead, grantReturnDN, grantBrowse } }
> }
> }
> }
>
> This should only allow the return of ou values that are "0", "1" and "2"
> and not allow the return of other ou values in a search. However it's
> not doing that. Nothing in the support pkg seems to test to see if the
> value is equal to any of these values.
>
> Could you advise on what's happening?


It was because RelatedProtectedItemFilter didn't ignore AttributeType when
operationScope is not ATTRIBUTE_TYPE_AND_VALUE. Now it should work fine.

Trustin
--
what we call human nature is actually human habit
--
http://gleamynode.net/