[389-devel] Please review (take 2): [389 Project] #47571: targetattr ACIs ignore subtype

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

https://fedorahosted.org/389/ticket/47571

https://fedorahosted.org/389/attachment/ticket/47571/0001-Ticket-47571-targetattr-ACIs-ignore-subtype.2.patch

Description:
Subtypes in targetattr, userattr in aci as well as filter and attribute list
in the search are supported.
* If targetattr contains subtypes, the base type only as well as other subtypes 
  are not allowed to access (or denied to access).
* If userattr contains subtypes, the base type as well as other subtypes in
  entries do not match the userattr value.
* If attribute list in search has a base type attribute, and a targetattr has 
  a type with subtypes, then only the subtyped value is returned. E.g.,
    attribute list: sn
    targetattr: sn;en
      ==>
    sn;en: <sn-en-value> and
    sn;en;phonetic: <sn-en-phonetic-value> are returned
    but
    sn or sn;fr is not.
If attribute list has a type with subtype, then if the targetattr allows the 
  subtype, the value is returned.  E.g.,
    attribute list: sn;en
    targetattr: sn;en
      ==>
    sn;en: <sn-en-value> and
    sn;en;phonetic: <sn-en-phonetic-value> are returned
    but
    sn or sn;fr is not.
1) slapd/attr.c
   * slapi_attr_type_cmp assumed the subtype order in 2 args are identical,
     but it is not always guaranteed.  Removed the assumption.
* Added another compare type SLAPI_TYPE_CMP_SUBTYPES to comp_cmp which is 
     called by slapi_attr_type_cmp to support full subtypes comparison.
2) plugin/acl.c:
   * Changed to call slapi_attr_type_cmp with human readable macros, e.g.,
     SLAPI_TYPE_CMP_BASE, SLAPI_TYPE_CMP_SUBTYPE, etc.
* Replaced strcasecmp with slapi_attr_type_cmp for attribute type comparison. 
   * Changed to call slapi_attr_type_cmp with SLAPI_TYPE_CMP_SUBTYPES (full
     subtype comparison) in acl__get_attrEval, where the next attribute to
     compare is determined.
3) slapd/search.c,result.c
send_all_attrs/send_specific_attrs use a dontsendattr array to control the duplicate attribute types. Replaced the logic with a simpler one by creating 
   an charray with no duplicates.

--
389-devel mailing list
389-devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-devel
[Index of Archives]     [Fedora Directory Announce]     [Fedora Users]     [Older Fedora Users Mail]     [Fedora Advisory Board]     [Fedora Security]     [Fedora Devel Java]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Mentors]     [Fedora Package Review]     [Fedora Art]     [Fedora Music]     [Fedora Packaging]     [CentOS]     [Fedora SELinux]     [Big List of Linux Books]     [KDE Users]     [Fedora Art]     [Fedora Docs]

  Powered by Linux