Summary: GER: allow GER for non-existing entries
FDS is trying to support these requirements.
Get Effective Rights is enhanced to support these requirements:
1. a requester should be able to see the effective rights of each
entry returned from the search request if the subject user is
identical to the requester. This functionality can be used, e.g., for
an address card to determine which fields to be writable and to be
grayed out depending upon the user who opens the card.
2. the attribute list to be retrieved accepts '*' for the all the
available attributes belonging to the returned entry as well as '+'
for the operational attributes to allow the requester get the
effective rights of all the non-existing attributes.
3. the attribute list to be retrieved accepts
"<attr>@<objectclassname>", where <attr> is an attribute type
cn) or '*' for all attributes and <objectclassname> is a type of
objectclass (e.g., inetorgperson).
Your reviews would be greatly appreciated.
------- Additional Comments From nhosoi(a)redhat.com 2008-06-20 19:24 EST -------
Created an attachment (id=309953)
new: charray_merge_nodup -- merge 2 string arrays skipping the duplicates
modified: charray_remove -- introduced "freeit" flag. If true, the removed
string is freed. (The API is used only in chainingdb. The change is applied
to the plugin.)
modified: check OP_FLAG_GET_EFFECTIVE_RIGHTS in the iterate to support
"@<objectclass>". It's needed to do at the location since we have to
when no entries are returned from the search. If no entries are returned and
"@<objectclass>" is found in the attribute list, acl effective rights
generates the corresponding template entry.
place to store gerattrs is added (SLAPI_SEARCH_GERATTRS), where gerattrs is an
array of strings which store "...@<objectclass>".
moved OP_FLAG_GET_EFFECTIVE_RIGHTS checking to iterate (opshared.c)
new: slapi_schema_list_objectclass_attributes -- return the required and/or
allowed attributes belonging to the given objectclass. This is used to support
"*" and "+" in the get effective rights.
new: slapi_schema_get_superior_name -- return the superior objectclass name of
the given objectclass.
if "<attr>@<objectclass>" is found in the attribute list, cut the
out and added to the attrs array (pblock SLAPI_SEARCH_ATTRS) and store the
string to the gerattrs (pblock SLAPI_SEARCH_GERATTRS).
modified: _ger_g_permission_granted -- if the requester and the subject user
identical, give "g" permission
modified: _ger_parse_control -- replaced strcpy with memmove since strcpy does
not guarantee the result of the overlap copy.
modified: _ger_get_attrs_rights -- support "*" (all attributes belonging to the
object) and "+" (operational attributes). If repeated attributes are found in
the given attribute list, they are reduced to one.
new: _ger_generate_template_entry -- generate a template entry if
"@<objectclass>" is passed.
adjusted to the updated charray_remove.
Please see also this wiki page for the overview and test cases.