Let me extend the topic a little bit, The problem (that I think is) I faced is that when a user has only grantAdd permission for allAttributeValues he/she should not be able to add a new instance of the attribute to the entry. It only allows adding a new value to an existing attribute. However it's not the case for ApacheDS now. It allows adding new attributes although having only grantAdd for allAttributeValues. This is also demonstrated in the current unit tests:
http://svn.apache.org/viewvc/directory/apacheds/trunk/core-unit/src/test/java/org/apache/directory/server/core/authz/ModifyAuthorizationITest.java?view=markup If I am right, these tests (as well as some others possibly) will need to change too. On 7/4/07, Ersin Er <[EMAIL PROTECTED]> wrote:
Hi, As I am browsing the Authorization code and doing some tests, I saw that we do not have a ATTRIBUTE_VALUE scope in the following class: http://svn.apache.org/viewvc/directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/OperationScope.java?view=markup IMO, we need such an operation scope because in a case where you have allAttributeValues protectedItem with grantAdd permission you should be only allowed to add new values to an existing attribute. So this kind of operation only deals with values, not attribute type or not both. If I am right, not handling this operation scope causes several problems in the Authorization system which is the real problem. I still need to write some tests and figure out which part of the code really deals with handling those scopes. I just wanted to inform you and get you ideas on the topic if any. Thanks. -- Ersin
-- Ersin Er R.A. and Ph.D Student at the Dept. of Computer Eng. in Hacettepe University http://www.cs.hacettepe.edu.tr Committer and PMC Member of The Apache Directory Project http://directory.apache.org
