| Trustin Lee 2005-10-25, 7:45 am |
| 2005/10/19, Alex Karasulu <aok123-Bdlq13kUjeyLZ21kGMrzwg@public.gmane.org>:
>
> Trustin,
>
> Within the o.a.l.s.authz.support package nothing checks to see if the
> "attributeValue" field in a protectedItem is adhered too. For this
> reason permission checks are failing. Let me give you an example that I
> have in a testcase:
>
> I have the following ACIItem:
>
> {
> identificationTag "searchAci"
> precedence 14
> authenticationLevel none,
> itemOrUserFirst userFirst:
> {
> userClasses { allUsers },
> userPermissions
> {
> {
> protectedItems {entry, attributeType { ou }, allAttributeValues
> { objectClass }, attributeValue { ou=0, ou=1, ou=2 } }, grantsAndDenials
> { grantRead, grantReturnDN, grantBrowse } }
> }
> }
> }
>
> This should only allow the return of ou values that are "0", "1" and "2"
> and not allow the return of other ou values in a search. However it's
> not doing that. Nothing in the support pkg seems to test to see if the
> value is equal to any of these values.
>
> Could you advise on what's happening?
It was because RelatedProtectedItemFilter didn't ignore AttributeType when
operationScope is not ATTRIBUTE_TYPE_AND_VALUE. Now it should work fine.
Trustin
--
what we call human nature is actually human habit
--
http://gleamynode.net/
|