Please review: [389 Project] #47571: targetattr ACIs ignore subtype
by Noriko Hosoi
https://fedorahosted.org/389/ticket/47571
https://fedorahosted.org/389/attachment/ticket/47571/0001-Ticket-47571-ta...
Description:
Subtypes in targetattr, userattr in aci as well as filter and attribute
list
in the search are supported.
* If targetattr contains subtypes, the base type only as well as other
subtypes
are not allowed to access (or denied to access).
* If userattr contains subtypes, the base type as well as other subtypes
in
entries do not match the userattr value.
* If attribute list in search has a base type attribute, and a targetattr
has
a type with subtypes, then only the subtyped value is returned. E.g.,
attribute list: sn
targetattr: sn;en
==>
sn;en: <sn-en-value> is returned
but
sn or sn;fr is not.
If attribute list has a type with subtype, then if the targetattr allows
the
subtype, the value is returned. E.g.,
attribute list: sn;en
targetattr: sn;en
==>
sn;en: <sn-en-value> is returned
but
sn or sn;fr is not.
1) slapd/attr.c
Added another compare type SLAPI_TYPE_CMP_SUBTYPES to comp_cmp which is
called by slapi_attr_type_cmp to support full compare subtypes.
2) plugin/acl.c:
Added a helper function acl__attr_subtype_cmp, which calls
slapi_attr_type_
cmp with SLAPI_TYPE_CMP_SUBTYPES if a type in aci contains subtypes.
Some slapi_attr_type_cmp takes SLAPI_TYPE_CMP_SUBTYPES instead of BASE,
which was one of the causes of ignoring subtypes.
3) slapd/search.c,result.c
send_all_attrs/send_specific_attrs use a dontsendattr array to control
the
duplicate attribute types. Replaced the logic with a simpler one by
creating
an charray with no duplicates.
10 years, 2 months