[Fedora-directory-devel] Please review: [Bug 437525] GER: allow GER for non-existing entries
Noriko Hosoi
nhosoi at redhat.com
Fri Jun 20 23:29:30 UTC 2008
Summary: GER: allow GER for non-existing entries
https://bugzilla.redhat.com/show_bug.cgi?id=437525
FDS is trying to support these requirements.
http://directory.fedoraproject.org/wiki?title=Get_Effective_Rights_for_non-present_attributes#Overview
> Get Effective Rights is enhanced to support these requirements:
>
> 1. a requester should be able to see the effective rights of each
> entry returned from the search request if the subject user is
> identical to the requester. This functionality can be used, e.g., for
> an address card to determine which fields to be writable and to be
> grayed out depending upon the user who opens the card.
>
> 2. the attribute list to be retrieved accepts '*' for the all the
> available attributes belonging to the returned entry as well as '+'
> for the operational attributes to allow the requester get the
> effective rights of all the non-existing attributes.
>
> 3. the attribute list to be retrieved accepts
> "<attr>@<objectclassname>", where <attr> is an attribute type (e.g.,
> cn) or '*' for all attributes and <objectclassname> is a type of
> objectclass (e.g., inetorgperson).
>
Your reviews would be greatly appreciated.
--noriko
------- Additional Comments From nhosoi at redhat.com 2008-06-20 19:24 EST -------
Created an attachment (id=309953)
--> (https://bugzilla.redhat.com/attachment.cgi?id=309953&action=view)
cvs diffs
Files:
ldap/servers/slapd/charray.c
ldap/servers/slapd/opshared.c
ldap/servers/slapd/pblock.c
ldap/servers/slapd/result.c
ldap/servers/slapd/schema.c
ldap/servers/slapd/search.c
ldap/servers/slapd/slapi-plugin.h
ldap/servers/slapd/slapi-private.h
ldap/servers/plugins/acl/acleffectiverights.c
ldap/servers/plugins/chainingdb/cb_config.c
ldap/servers/plugins/chainingdb/cb_controls.c
ldap/servers/plugins/chainingdb/cb_instance.c
Change descriptions:
[slapd/charray.c]
new: charray_merge_nodup -- merge 2 string arrays skipping the duplicates
modified: charray_remove -- introduced "freeit" flag. If true, the removed
string is freed. (The API is used only in chainingdb. The change is applied
to the plugin.)
[slapd/opshared.c]
modified: check OP_FLAG_GET_EFFECTIVE_RIGHTS in the iterate to support
"@<objectclass>". It's needed to do at the location since we have to call acl
plugin even
when no entries are returned from the search. If no entries are returned and
"@<objectclass>" is found in the attribute list, acl effective rights code
generates the corresponding template entry.
[slapd/pblock.c]
place to store gerattrs is added (SLAPI_SEARCH_GERATTRS), where gerattrs is an
array of strings which store "...@<objectclass>".
[slapd/result.c]
moved OP_FLAG_GET_EFFECTIVE_RIGHTS checking to iterate (opshared.c)
[slapd/schema.c]
new: slapi_schema_list_objectclass_attributes -- return the required and/or
allowed attributes belonging to the given objectclass. This is used to support
"*" and "+" in the get effective rights.
new: slapi_schema_get_superior_name -- return the superior objectclass name of
the given objectclass.
[slapd/search.c]
if "<attr>@<objectclass>" is found in the attribute list, cut the <attr> part
out and added to the attrs array (pblock SLAPI_SEARCH_ATTRS) and store the
original
string to the gerattrs (pblock SLAPI_SEARCH_GERATTRS).
[plugin/acl/acleffectiverights.c]
modified: _ger_g_permission_granted -- if the requester and the subject user
are
identical, give "g" permission
modified: _ger_parse_control -- replaced strcpy with memmove since strcpy does
not guarantee the result of the overlap copy.
modified: _ger_get_attrs_rights -- support "*" (all attributes belonging to the
object) and "+" (operational attributes). If repeated attributes are found in
the given attribute list, they are reduced to one.
new: _ger_generate_template_entry -- generate a template entry if
"@<objectclass>" is passed.
[pluginc/cb/*]
adjusted to the updated charray_remove.
Please see also this wiki page for the overview and test cases.
http://directory.fedoraproject.org/wiki/Get_Effective_Rights_for_non-present_attributes
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3237 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-devel/attachments/20080620/bc6807ae/attachment.bin>
More information about the Fedora-directory-devel
mailing list