Hi Ersin, Please fix as you see fit. You're the most knowledgeable of us all on this topic.
I understand what you're stating and it is a subtle issue that was not easy for many to understand. Hope the fix is a quick and easy one. Alex On 7/4/07, Ersin Er <[EMAIL PROTECTED]> wrote:
Well, I think there is a solution without introducing a new Operation Scope. I'll commit it soon. On 7/4/07, Ersin Er <[EMAIL PROTECTED]> wrote: > Let me extend the topic a little bit, > > The problem (that I think is) I faced is that when a user has only > grantAdd permission for allAttributeValues he/she should not be able > to add a new instance of the attribute to the entry. It only allows > adding a new value to an existing attribute. However it's not the case > for ApacheDS now. It allows adding new attributes although having only > grantAdd for allAttributeValues. This is also demonstrated in the > current unit tests: > > http://svn.apache.org/viewvc/directory/apacheds/trunk/core-unit/src/test/java/org/apache/directory/server/core/authz/ModifyAuthorizationITest.java?view=markup > > If I am right, these tests (as well as some others possibly) will need > to change too. > > On 7/4/07, Ersin Er <[EMAIL PROTECTED]> wrote: > > Hi, > > > > As I am browsing the Authorization code and doing some tests, I saw > > that we do not have a ATTRIBUTE_VALUE scope in the following class: > > http://svn.apache.org/viewvc/directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/OperationScope.java?view=markup > > > > IMO, we need such an operation scope because in a case where you have > > allAttributeValues protectedItem with grantAdd permission you should > > be only allowed to add new values to an existing attribute. So this > > kind of operation only deals with values, not attribute type or not > > both. > > > > If I am right, not handling this operation scope causes several > > problems in the Authorization system which is the real problem. I > > still need to write some tests and figure out which part of the code > > really deals with handling those scopes. > > > > I just wanted to inform you and get you ideas on the topic if any. > > > > Thanks. > > > > -- > > Ersin > > > > > -- > Ersin Er > > R.A. and Ph.D Student at the Dept. of Computer Eng. in Hacettepe University > http://www.cs.hacettepe.edu.tr > > Committer and PMC Member of The Apache Directory Project > http://directory.apache.org > -- Ersin Er R.A. and Ph.D Student at the Dept. of Computer Eng. in Hacettepe University http://www.cs.hacettepe.edu.tr Committer and PMC Member of The Apache Directory Project http://directory.apache.org
