Summary: GER: allow GER for non-existing entries

https://bugzilla.redhat.com/show_bug.cgi?id=437525

FDS is trying to support these requirements.

http://directory.fedoraproject.org/wiki?title=Get_Effective_Rights_for_non-p...

Get Effective Rights is enhanced to support these requirements:

1. a requester should be able to see the effective rights of each

entry returned from the search request if the subject user is identical to the requester. This functionality can be used, e.g., for an address card to determine which fields to be writable and to be grayed out depending upon the user who opens the card.

2. the attribute list to be retrieved accepts '*' for the all the

available attributes belonging to the returned entry as well as '+' for the operational attributes to allow the requester get the effective rights of all the non-existing attributes.

3. the attribute list to be retrieved accepts

"<attr>@<objectclassname>", where <attr> is an attribute type (e.g., cn) or '*' for all attributes and <objectclassname> is a type of objectclass (e.g., inetorgperson).

Your reviews would be greatly appreciated. --noriko

------- Additional Comments From nhosoi@redhat.com 2008-06-20 19:24 EST ------- Created an attachment (id=309953) --> (https://bugzilla.redhat.com/attachment.cgi?id=309953&action=view) cvs diffs

Files: ldap/servers/slapd/charray.c ldap/servers/slapd/opshared.c ldap/servers/slapd/pblock.c ldap/servers/slapd/result.c ldap/servers/slapd/schema.c ldap/servers/slapd/search.c ldap/servers/slapd/slapi-plugin.h ldap/servers/slapd/slapi-private.h ldap/servers/plugins/acl/acleffectiverights.c ldap/servers/plugins/chainingdb/cb_config.c ldap/servers/plugins/chainingdb/cb_controls.c ldap/servers/plugins/chainingdb/cb_instance.c

Change descriptions: [slapd/charray.c] new: charray_merge_nodup -- merge 2 string arrays skipping the duplicates modified: charray_remove -- introduced "freeit" flag. If true, the removed string is freed. (The API is used only in chainingdb. The change is applied to the plugin.)

[slapd/opshared.c] modified: check OP_FLAG_GET_EFFECTIVE_RIGHTS in the iterate to support "@<objectclass>". It's needed to do at the location since we have to call acl plugin even when no entries are returned from the search. If no entries are returned and "@<objectclass>" is found in the attribute list, acl effective rights code generates the corresponding template entry.

[slapd/pblock.c] place to store gerattrs is added (SLAPI_SEARCH_GERATTRS), where gerattrs is an array of strings which store "...@<objectclass>".

[slapd/result.c] moved OP_FLAG_GET_EFFECTIVE_RIGHTS checking to iterate (opshared.c)

[slapd/schema.c] new: slapi_schema_list_objectclass_attributes -- return the required and/or allowed attributes belonging to the given objectclass. This is used to support "*" and "+" in the get effective rights. new: slapi_schema_get_superior_name -- return the superior objectclass name of the given objectclass.

[slapd/search.c] if "<attr>@<objectclass>" is found in the attribute list, cut the <attr> part out and added to the attrs array (pblock SLAPI_SEARCH_ATTRS) and store the original string to the gerattrs (pblock SLAPI_SEARCH_GERATTRS).

[plugin/acl/acleffectiverights.c] modified: _ger_g_permission_granted -- if the requester and the subject user are identical, give "g" permission modified: _ger_parse_control -- replaced strcpy with memmove since strcpy does not guarantee the result of the overlap copy. modified: _ger_get_attrs_rights -- support "*" (all attributes belonging to the object) and "+" (operational attributes). If repeated attributes are found in the given attribute list, they are reduced to one. new: _ger_generate_template_entry -- generate a template entry if "@<objectclass>" is passed.

[pluginc/cb/*] adjusted to the updated charray_remove.

Please see also this wiki page for the overview and test cases. http://directory.fedoraproject.org/wiki/Get_Effective_Rights_for_non-present...