You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by tr...@apache.org on 2005/09/20 01:36:48 UTC
svn commit: r290310 - in
/directory/shared/ldap/trunk/common/src/java/org/apache/ldap/common/acl:
ACDFEngine.java ACIItem.java ACITuple.java GrantAndDenial.java
ItemFirstACIItem.java MicroOperation.java UserFirstACIItem.java
Author: trustin
Date: Mon Sep 19 16:36:40 2005
New Revision: 290310
URL: http://svn.apache.org/viewcvs?rev=290310&view=rev
Log:
* Added MicroOperation
* GrantAndDenial now uses MicroOperation
* ACITuple now accepts a collection of MicroOperations and grant flag instead of a collection of GrantsAndDenials
* Users should specify a collection of MicroOperations instead of a collection of Grants.
Added:
directory/shared/ldap/trunk/common/src/java/org/apache/ldap/common/acl/MicroOperation.java (with props)
Modified:
directory/shared/ldap/trunk/common/src/java/org/apache/ldap/common/acl/ACDFEngine.java
directory/shared/ldap/trunk/common/src/java/org/apache/ldap/common/acl/ACIItem.java
directory/shared/ldap/trunk/common/src/java/org/apache/ldap/common/acl/ACITuple.java
directory/shared/ldap/trunk/common/src/java/org/apache/ldap/common/acl/GrantAndDenial.java
directory/shared/ldap/trunk/common/src/java/org/apache/ldap/common/acl/ItemFirstACIItem.java
directory/shared/ldap/trunk/common/src/java/org/apache/ldap/common/acl/UserFirstACIItem.java
Modified: directory/shared/ldap/trunk/common/src/java/org/apache/ldap/common/acl/ACDFEngine.java
URL: http://svn.apache.org/viewcvs/directory/shared/ldap/trunk/common/src/java/org/apache/ldap/common/acl/ACDFEngine.java?rev=290310&r1=290309&r2=290310&view=diff
==============================================================================
--- directory/shared/ldap/trunk/common/src/java/org/apache/ldap/common/acl/ACDFEngine.java (original)
+++ directory/shared/ldap/trunk/common/src/java/org/apache/ldap/common/acl/ACDFEngine.java Mon Sep 19 16:36:40 2005
@@ -15,7 +15,9 @@
*/
package org.apache.ldap.common.acl;
+import java.util.ArrayList;
import java.util.Collection;
+import java.util.Iterator;
import javax.naming.Name;
import javax.naming.directory.Attributes;
@@ -33,6 +35,7 @@
* (entry, attribute type, or attribute value) and throws {@link LdapNoPermissionException}
* if the user doesn't have any permission to perform the specified grants.
*
+ * @param userGroupName the DN of the group of the user who is trying to access the resource
* @param username the DN of the user who is trying to access the resource
* @param entryName the DN of the entry the user is trying to access
* @param attrId the attribute type of the attribute the user is trying to access.
@@ -40,17 +43,19 @@
* @param attrValue the attribute value of the attribute the user is trying to access.
* <tt>null</tt> if the user is not accessing a specific attribute value.
* @param entry the attributes of the entry
- * @param requiredGrants the required grants to perform the operation
+ * @param microOperations the {@link MicroOperation}s to perform
* @param aciTuples {@link ACITuple}s translated from {@link ACIItem}s in the subtree entries
* @throws LdapNoPermissionException if user don't have enough permission to perform the operation
*/
public void checkPermission(
- Name username,
+ Name userGroupName, Name username, AuthenticationLevel authenticationLevel,
Name entryName, String attrId, Object attrValue, Attributes entry,
- Collection requiredGrants, Collection aciTuples ) throws LdapNoPermissionException
+ Collection microOperations, Collection aciTuples ) throws LdapNoPermissionException
{
- if( !hasPermission( username, entryName, attrId, attrValue, entry,
- requiredGrants, aciTuples ) )
+ if( !hasPermission(
+ userGroupName, username, authenticationLevel,
+ entryName, attrId, attrValue, entry,
+ microOperations, aciTuples ) )
{
throw new LdapNoPermissionException();
}
@@ -61,6 +66,7 @@
* (entry, attribute type, or attribute value) and throws {@link LdapNoPermissionException}
* if the user doesn't have any permission to perform the specified grants.
*
+ * @param userGroupName the DN of the group of the user who is trying to access the resource
* @param username the DN of the user who is trying to access the resource
* @param entryName the DN of the entry the user is trying to access
* @param attrId the attribute type of the attribute the user is trying to access.
@@ -68,14 +74,87 @@
* @param attrValue the attribute value of the attribute the user is trying to access.
* <tt>null</tt> if the user is not accessing a specific attribute value.
* @param entry the attributes of the entry
- * @param requiredGrants the required grants to perform the operation
+ * @param microOperations the {@link MicroOperation}s to perform
* @param aciTuples {@link ACITuple}s translated from {@link ACIItem}s in the subtree entries
*/
public boolean hasPermission(
- Name username,
+ Name userGroupName, Name username, AuthenticationLevel authenticationLevel,
Name entryName, String attrId, Object attrValue, Attributes entry,
- Collection requiredGrants, Collection aciTuples )
+ Collection microOperations, Collection aciTuples )
{
+ aciTuples = filterUserClasses(
+ userGroupName, username, authenticationLevel, entryName, aciTuples );
+ //aciTuples = filterProtectedItems();
return true;
+ }
+
+ private Collection filterUserClasses(
+ Name userGroupName, Name username, AuthenticationLevel authenticationLevel,
+ Name entryName, Collection aciTuples )
+ {
+ Collection filteredTuples = new ArrayList( aciTuples );
+ for( Iterator i = aciTuples.iterator(); i.hasNext(); )
+ {
+ ACITuple tuple = ( ACITuple ) i.next();
+ if( tuple.isGrant() )
+ {
+ if( !matchUserClass( userGroupName, username, entryName, tuple.getUserClasses() ) ||
+ authenticationLevel.compareTo( tuple.getAuthenticationLevel() ) < 0 )
+ {
+ i.remove();
+ }
+ }
+ else // Denials
+ {
+ if( !matchUserClass( userGroupName, username, entryName, tuple.getUserClasses() ) &&
+ authenticationLevel.compareTo( tuple.getAuthenticationLevel() ) >= 0 )
+ {
+ i.remove();
+ }
+ }
+ }
+
+ return filteredTuples;
+ }
+
+ private boolean matchUserClass( Name userGroupName, Name username, Name entryName, Collection userClasses )
+ {
+ for( Iterator i = userClasses.iterator(); i.hasNext(); )
+ {
+ UserClass userClass = ( UserClass ) i.next();
+ if( userClass == UserClass.ALL_USERS )
+ {
+ return true;
+ }
+ else if( userClass == UserClass.THIS_ENTRY )
+ {
+ if( username.equals( entryName ) )
+ {
+ return true;
+ }
+ }
+ else if( userClass instanceof UserClass.Name )
+ {
+ UserClass.Name nameUserClass = ( UserClass.Name ) userClass;
+ if( nameUserClass.getNames().contains( username ) )
+ {
+ return true;
+ }
+ }
+ else if( userClass instanceof UserClass.UserGroup )
+ {
+ UserClass.UserGroup userGroupUserClass = ( UserClass.UserGroup ) userClass;
+ if( userGroupName != null && userGroupUserClass.getNames().contains( userGroupName ) )
+ {
+ return true;
+ }
+ }
+ else if( userClass instanceof UserClass.Subtree )
+ {
+ // FIXME I don't know what to do in case of subtree userClass.
+ }
+ }
+
+ return false;
}
}
Modified: directory/shared/ldap/trunk/common/src/java/org/apache/ldap/common/acl/ACIItem.java
URL: http://svn.apache.org/viewcvs/directory/shared/ldap/trunk/common/src/java/org/apache/ldap/common/acl/ACIItem.java?rev=290310&r1=290309&r2=290310&view=diff
==============================================================================
--- directory/shared/ldap/trunk/common/src/java/org/apache/ldap/common/acl/ACIItem.java (original)
+++ directory/shared/ldap/trunk/common/src/java/org/apache/ldap/common/acl/ACIItem.java Mon Sep 19 16:36:40 2005
@@ -20,6 +20,9 @@
import java.io.Serializable;
import java.util.Collection;
+import java.util.HashSet;
+import java.util.Iterator;
+import java.util.Set;
public abstract class ACIItem implements Serializable
{
@@ -67,4 +70,14 @@
}
public abstract Collection toTuples();
+
+ protected static Set toMicroOperations( Set grantsAndDenials )
+ {
+ Set microOps = new HashSet();
+ for( Iterator j = grantsAndDenials.iterator(); j.hasNext(); )
+ {
+ microOps.add( ( ( GrantAndDenial ) j.next() ).getMicroOperation() );
+ }
+ return microOps;
+ }
}
Modified: directory/shared/ldap/trunk/common/src/java/org/apache/ldap/common/acl/ACITuple.java
URL: http://svn.apache.org/viewcvs/directory/shared/ldap/trunk/common/src/java/org/apache/ldap/common/acl/ACITuple.java?rev=290310&r1=290309&r2=290310&view=diff
==============================================================================
--- directory/shared/ldap/trunk/common/src/java/org/apache/ldap/common/acl/ACITuple.java (original)
+++ directory/shared/ldap/trunk/common/src/java/org/apache/ldap/common/acl/ACITuple.java Mon Sep 19 16:36:40 2005
@@ -33,16 +33,17 @@
private final Collection userClasses;
private final AuthenticationLevel authenticationLevel;
private final Collection protectedItems;
- private final Set grantsAndDenials;
+ private final Set microOperations;
+ private final boolean grant;
private final int precedence;
public ACITuple(
Collection userClasses, AuthenticationLevel authenticationLevel,
- Collection protectedItems, Set grantsAndDenials, int precedence )
+ Collection protectedItems, Set microOperations, boolean grant, int precedence )
{
for( Iterator i = userClasses.iterator(); i.hasNext(); )
{
- if( !UserClass.class.isAssignableFrom( i.next().getClass() ) )
+ if( !( i.next() instanceof UserClass ) )
{
throw new IllegalArgumentException(
"userClasses contains an element which is not a user classs." );
@@ -51,19 +52,19 @@
for( Iterator i = protectedItems.iterator(); i.hasNext(); )
{
- if( !ProtectedItem.class.isAssignableFrom( i.next().getClass() ) )
+ if( !( i.next() instanceof ProtectedItem ) )
{
throw new IllegalArgumentException(
"protectedItems contains an element which is not a protected item." );
}
}
- for( Iterator i = grantsAndDenials.iterator(); i.hasNext(); )
+ for( Iterator i = microOperations.iterator(); i.hasNext(); )
{
- if( !GrantAndDenial.class.isAssignableFrom( i.next().getClass() ) )
+ if( !( i.next() instanceof MicroOperation ) )
{
throw new IllegalArgumentException(
- "grantsAndDenials contains an element which is not a grant or a denial." );
+ "microOperations contains an element which is not a micro operation." );
}
}
@@ -80,7 +81,8 @@
this.userClasses = Collections.unmodifiableCollection( new ArrayList( userClasses ) );
this.authenticationLevel = authenticationLevel;
this.protectedItems = Collections.unmodifiableCollection( new ArrayList( protectedItems ) );
- this.grantsAndDenials = Collections.unmodifiableSet( new HashSet( grantsAndDenials ) );
+ this.microOperations = Collections.unmodifiableSet( new HashSet( microOperations ) );
+ this.grant = grant;
this.precedence = precedence;
}
@@ -99,9 +101,14 @@
return protectedItems;
}
- public Set getGrantsAndDenials()
+ public Set getMicroOperations()
{
- return grantsAndDenials;
+ return microOperations;
+ }
+
+ public boolean isGrant()
+ {
+ return grant;
}
public int getPrecedence()
@@ -114,7 +121,7 @@
return "ACITuple: userClasses=" + userClasses + ", " +
"authenticationLevel=" + authenticationLevel + ", " +
"protectedItems=" + protectedItems + ", " +
- "grantsAndDenials=" + grantsAndDenials + ", " +
+ ( grant? "grants=" : "denials=" ) + microOperations + ", " +
"precedence=" + precedence;
}
}
Modified: directory/shared/ldap/trunk/common/src/java/org/apache/ldap/common/acl/GrantAndDenial.java
URL: http://svn.apache.org/viewcvs/directory/shared/ldap/trunk/common/src/java/org/apache/ldap/common/acl/GrantAndDenial.java?rev=290310&r1=290309&r2=290310&view=diff
==============================================================================
--- directory/shared/ldap/trunk/common/src/java/org/apache/ldap/common/acl/GrantAndDenial.java (original)
+++ directory/shared/ldap/trunk/common/src/java/org/apache/ldap/common/acl/GrantAndDenial.java Mon Sep 19 16:36:40 2005
@@ -22,57 +22,64 @@
{
// Permissions that may be used in conjunction with any component of
// <tt>ProtectedItem</tt>s.
- public static final GrantAndDenial GRANT_ADD = new GrantAndDenial( 0, "grantAdd", true );
- public static final GrantAndDenial DENY_ADD = new GrantAndDenial( 1, "denyAdd", false );
- public static final GrantAndDenial GRANT_DISCLOSE_ON_ERROR = new GrantAndDenial( 2, "grantDiscloseOnError", true );
- public static final GrantAndDenial DENY_DISCLOSE_ON_ERROR = new GrantAndDenial( 3, "denyDiscloseOnError", false );
- public static final GrantAndDenial GRANT_READ = new GrantAndDenial( 4, "grantRead", true );
- public static final GrantAndDenial DENY_READ = new GrantAndDenial( 5, "denyRead", false );
- public static final GrantAndDenial GRANT_REMOVE = new GrantAndDenial( 6, "grantRemove", true );
- public static final GrantAndDenial DENY_REMOVE = new GrantAndDenial( 7, "denyRemove", false );
+ public static final GrantAndDenial GRANT_ADD = new GrantAndDenial( MicroOperation.ADD, 0, true );
+ public static final GrantAndDenial DENY_ADD = new GrantAndDenial( MicroOperation.ADD, 1, false );
+ public static final GrantAndDenial GRANT_DISCLOSE_ON_ERROR = new GrantAndDenial( MicroOperation.DISCLOSE_ON_ERROR, 2, true );
+ public static final GrantAndDenial DENY_DISCLOSE_ON_ERROR = new GrantAndDenial( MicroOperation.DISCLOSE_ON_ERROR, 3, false );
+ public static final GrantAndDenial GRANT_READ = new GrantAndDenial( MicroOperation.READ, 4, true );
+ public static final GrantAndDenial DENY_READ = new GrantAndDenial( MicroOperation.READ, 5, false );
+ public static final GrantAndDenial GRANT_REMOVE = new GrantAndDenial( MicroOperation.REMOVE, 6, true );
+ public static final GrantAndDenial DENY_REMOVE = new GrantAndDenial( MicroOperation.REMOVE, 7, false );
// Permissions that may be used only in conjunction with the entry component.
- public static final GrantAndDenial GRANT_BROWSE = new GrantAndDenial( 8, "grantBrowse", true );
- public static final GrantAndDenial DENY_BROWSE = new GrantAndDenial( 9, "denyBrowse", false );
- public static final GrantAndDenial GRANT_EXPORT = new GrantAndDenial( 10, "grantExport", true );
- public static final GrantAndDenial DENY_EXPORT = new GrantAndDenial( 11, "denyExport", false );
- public static final GrantAndDenial GRANT_IMPORT = new GrantAndDenial( 12, "grantImport", true );
- public static final GrantAndDenial DENY_IMPORT = new GrantAndDenial( 13, "denyImport", false );
- public static final GrantAndDenial GRANT_MODIFY = new GrantAndDenial( 14, "grantModify", true );
- public static final GrantAndDenial DENY_MODIFY = new GrantAndDenial( 15, "denyModify", false );
- public static final GrantAndDenial GRANT_RENAME = new GrantAndDenial( 16, "grantRename", true );
- public static final GrantAndDenial DENY_RENAME = new GrantAndDenial( 17, "denyRename", false );
- public static final GrantAndDenial GRANT_RETURN_DN = new GrantAndDenial( 18, "grantReturnDN", true );
- public static final GrantAndDenial DENY_RETURN_DN = new GrantAndDenial( 19, "denyReturnDN", false );
+ public static final GrantAndDenial GRANT_BROWSE = new GrantAndDenial( MicroOperation.BROWSE, 8, true );
+ public static final GrantAndDenial DENY_BROWSE = new GrantAndDenial( MicroOperation.BROWSE, 9, false );
+ public static final GrantAndDenial GRANT_EXPORT = new GrantAndDenial( MicroOperation.EXPORT, 10, true );
+ public static final GrantAndDenial DENY_EXPORT = new GrantAndDenial( MicroOperation.EXPORT, 11, false );
+ public static final GrantAndDenial GRANT_IMPORT = new GrantAndDenial( MicroOperation.IMPORT, 12, true );
+ public static final GrantAndDenial DENY_IMPORT = new GrantAndDenial( MicroOperation.IMPORT, 13, false );
+ public static final GrantAndDenial GRANT_MODIFY = new GrantAndDenial( MicroOperation.MODIFY, 14, true );
+ public static final GrantAndDenial DENY_MODIFY = new GrantAndDenial( MicroOperation.MODIFY, 15, false );
+ public static final GrantAndDenial GRANT_RENAME = new GrantAndDenial( MicroOperation.RENAME, 16, true );
+ public static final GrantAndDenial DENY_RENAME = new GrantAndDenial( MicroOperation.RENAME, 17, false );
+ public static final GrantAndDenial GRANT_RETURN_DN = new GrantAndDenial( MicroOperation.RETURN_DN, 18, true );
+ public static final GrantAndDenial DENY_RETURN_DN = new GrantAndDenial( MicroOperation.RETURN_DN, 19, false );
// Permissions that may be used in conjunction with any component,
// except entry, of <tt>ProtectedItem</tt>s.
- public static final GrantAndDenial GRANT_COMPARE = new GrantAndDenial( 20, "grantCompare", true );
- public static final GrantAndDenial DENY_COMPARE = new GrantAndDenial( 21, "denyCompare", false );
- public static final GrantAndDenial GRANT_FILTER_MATCH = new GrantAndDenial( 22, "grantFilterMatch", true );
- public static final GrantAndDenial DENY_FILTER_MATCH = new GrantAndDenial( 23, "denyFilterMatch", false );
- public static final GrantAndDenial GRANT_INVOKE = new GrantAndDenial( 24, "grantInvoke", true );
- public static final GrantAndDenial DENY_INVOKE = new GrantAndDenial( 25, "denyInvoke", false );
+ public static final GrantAndDenial GRANT_COMPARE = new GrantAndDenial( MicroOperation.COMPARE, 20, true );
+ public static final GrantAndDenial DENY_COMPARE = new GrantAndDenial( MicroOperation.COMPARE, 21, false );
+ public static final GrantAndDenial GRANT_FILTER_MATCH = new GrantAndDenial( MicroOperation.FILTER_MATCH, 22, true );
+ public static final GrantAndDenial DENY_FILTER_MATCH = new GrantAndDenial( MicroOperation.FILTER_MATCH, 23, false );
+ public static final GrantAndDenial GRANT_INVOKE = new GrantAndDenial( MicroOperation.INVOKE, 24, true );
+ public static final GrantAndDenial DENY_INVOKE = new GrantAndDenial( MicroOperation.INVOKE, 25, false );
+ private final MicroOperation microOperation;
private final int code;
- private final String description;
+ private final String name;
private final boolean grant;
- private GrantAndDenial( int code, String description, boolean grant )
+ private GrantAndDenial( MicroOperation microOperation, int code, boolean grant )
{
+ this.microOperation = microOperation;
this.code = code;
- this.description = description;
+ this.name = ( grant? "grant" : "deny" ) + microOperation.getName();
this.grant = grant;
}
+ public MicroOperation getMicroOperation()
+ {
+ return microOperation;
+ }
+
public int getCode()
{
return code;
}
- public String getDescription()
+ public String getName()
{
- return description;
+ return name;
}
public boolean isGrant()
@@ -82,6 +89,6 @@
public String toString()
{
- return description + '[' + code + ']';
+ return "[" + code + "] " + name;
}
}
Modified: directory/shared/ldap/trunk/common/src/java/org/apache/ldap/common/acl/ItemFirstACIItem.java
URL: http://svn.apache.org/viewcvs/directory/shared/ldap/trunk/common/src/java/org/apache/ldap/common/acl/ItemFirstACIItem.java?rev=290310&r1=290309&r2=290310&view=diff
==============================================================================
--- directory/shared/ldap/trunk/common/src/java/org/apache/ldap/common/acl/ItemFirstACIItem.java (original)
+++ directory/shared/ldap/trunk/common/src/java/org/apache/ldap/common/acl/ItemFirstACIItem.java Mon Sep 19 16:36:40 2005
@@ -99,7 +99,8 @@
itemPermission.getUserClasses(),
getAuthenticationLevel(),
protectedItems,
- grants,
+ toMicroOperations( grants ),
+ true,
precedence ) );
}
if( denials.size() > 0 )
@@ -108,7 +109,8 @@
itemPermission.getUserClasses(),
getAuthenticationLevel(),
protectedItems,
- denials,
+ toMicroOperations( denials ),
+ false,
precedence ) );
}
}
Added: directory/shared/ldap/trunk/common/src/java/org/apache/ldap/common/acl/MicroOperation.java
URL: http://svn.apache.org/viewcvs/directory/shared/ldap/trunk/common/src/java/org/apache/ldap/common/acl/MicroOperation.java?rev=290310&view=auto
==============================================================================
--- directory/shared/ldap/trunk/common/src/java/org/apache/ldap/common/acl/MicroOperation.java (added)
+++ directory/shared/ldap/trunk/common/src/java/org/apache/ldap/common/acl/MicroOperation.java Mon Sep 19 16:36:40 2005
@@ -0,0 +1,60 @@
+/*
+ * @(#) $Id$
+ *
+ * Copyright 2004 The Apache Software Foundation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+package org.apache.ldap.common.acl;
+
+public class MicroOperation
+{
+ // Permissions that may be used in conjunction with any component of
+ // <tt>ProtectedItem</tt>s.
+ public static final MicroOperation ADD = new MicroOperation( "Add" );
+ public static final MicroOperation DISCLOSE_ON_ERROR = new MicroOperation( "DiscloseOnError" );
+ public static final MicroOperation READ = new MicroOperation( "Read" );
+ public static final MicroOperation REMOVE = new MicroOperation( "Remove" );
+
+ // Permissions that may be used only in conjunction with the entry component.
+ public static final MicroOperation BROWSE = new MicroOperation( "Browse" );
+ public static final MicroOperation EXPORT = new MicroOperation( "Export" );
+ public static final MicroOperation IMPORT = new MicroOperation( "Import" );
+ public static final MicroOperation MODIFY = new MicroOperation( "Modify" );
+ public static final MicroOperation RENAME = new MicroOperation( "Rename" );
+ public static final MicroOperation RETURN_DN = new MicroOperation( "ReturnDN" );
+
+ // Permissions that may be used in conjunction with any component,
+ // except entry, of <tt>ProtectedItem</tt>s.
+ public static final MicroOperation COMPARE = new MicroOperation( "Compare" );
+ public static final MicroOperation FILTER_MATCH = new MicroOperation( "FilterMatch" );
+ public static final MicroOperation INVOKE = new MicroOperation( "Invoke" );
+
+ private final String name;
+
+ private MicroOperation( String name )
+ {
+ this.name = name;
+ }
+
+ public String getName()
+ {
+ return name;
+ }
+
+ public String toString()
+ {
+ return name;
+ }
+}
Propchange: directory/shared/ldap/trunk/common/src/java/org/apache/ldap/common/acl/MicroOperation.java
------------------------------------------------------------------------------
svn:keywords = HeadURL Id LastChangedBy LastChangedDate LastChangedRevision
Modified: directory/shared/ldap/trunk/common/src/java/org/apache/ldap/common/acl/UserFirstACIItem.java
URL: http://svn.apache.org/viewcvs/directory/shared/ldap/trunk/common/src/java/org/apache/ldap/common/acl/UserFirstACIItem.java?rev=290310&r1=290309&r2=290310&view=diff
==============================================================================
--- directory/shared/ldap/trunk/common/src/java/org/apache/ldap/common/acl/UserFirstACIItem.java (original)
+++ directory/shared/ldap/trunk/common/src/java/org/apache/ldap/common/acl/UserFirstACIItem.java Mon Sep 19 16:36:40 2005
@@ -99,7 +99,8 @@
getUserClasses(),
getAuthenticationLevel(),
userPermission.getProtectedItems(),
- grants,
+ toMicroOperations( grants ),
+ true,
precedence ) );
}
if( denials.size() > 0 )
@@ -108,7 +109,8 @@
getUserClasses(),
getAuthenticationLevel(),
userPermission.getProtectedItems(),
- denials,
+ toMicroOperations( denials ),
+ false,
precedence ) );
}
}